A directive from the Cybersecurity and Infrastructure Security Agency will require all federal agencies to patch security flaws in their systems. They have six months to do so (via WSJ).
The order applies to all software and hardware on federal information systems. This includes those hosted by third parties such as federal contractors. It includes security flaws that may be listed as low risk. This is the first directive to require fixes for both internet-connected and offline systems.
Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, said:
While this directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.
Since taking office, President Biden has made cybersecurity a priority for the nation. In May, he signed an order to improve U.S. cybersecurity after the ransomware attack on Colonial Pipeline. CISA has also formed an initiative called the Joint Cyber Defense Collaborative. It’s a collaboration between public and private sectors to help stop ransomware and other cyberattacks on cloud computing providers.