The U.S. Cybersecurity and Infrastructure Security Agency has published a catalog of vulnerabilities, including from Apple, Cisco, Microsoft, and Google, that have known exploits and are being actively exploited by malicious cyber actors, in addition to requiring federal agencies to prioritize applying patches for those security flaws within “Aggressive” timeframes.
“These vulnerabilities pose significant risk to agencies and the federal enterprise,” the agency said in a binding operational directive issued Wednesday.
“It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents.”
About 176 vulnerabilities identified between 2017 and 2020, and 100 flaws from 2021 have made their way to the initial list, which is expected to be updated with additional actively exploited vulnerabilities as and when they become known provided they have been assigned Common Vulnerabilities and Exposures identifiers and have clear remediation action.
Although the BOD is primarily aimed at federal civilian agencies, CISA is recommending private businesses and state entities to review the catalog and remediate the vulnerabilities to strengthen their security and resilience posture.
“Second, it provides due dates for remediating those vulnerabilities. By providing a common list of vulnerabilities to target for remediation, CISA is effectively leveling the playing field for agencies in terms of prioritization. It’s no longer up to each individual agency to decide which vulnerabilities are the highest priority to patch.”