How To Navigate The Federal Information Systems Vulnerability Patching Directive

The Biden Administration, through the Cybersecurity & Infrastructure Security Agency (CISA) has issued a directive which applies to all software and hardware found on federal information systems managed on agency premises or offsite by third party vendors. The required actions apply to any federal information system including ones used or operated by other entities on behalf of an agency that collects, processes, stores, transmits, disseminates or maintains agency information.

The directive is to enforce and improve efforts to protect against malicious cyber campaigns by ensuring the security of information technology assets across the federal sector as a whole. Vulnerabilities have been previously used to exploit public and private organizations and pose significant risk to these agencies. It is imperative that we aggressively fix known vulnerabilities which are being exploited in order to protect these federal information systems, and ultimately the American people’s security and privacy.

While the new directive requires action from federal civilian agencies only at this time, it is strongly recommended that private businesses and state, local, tribal and territorial (SLTT) governments review and monitor the CISA Catalog and work to remediate the listed vulnerabilities to strengthen their security as well.

Currently, all federal agencies have January 2, 2022, to review and update internal vulnerability management procedures to meet the new directive requirements. It is required at a minimum, that each agency policy must:

  1. Establish a remediation process for CISA identified vulnerabilities
  2. Assign roles and responsibilities for executing actions
  3. Define the actions required for prompt response
  4. Establish internal validation and enforcement procedures
  5. Set internal tracking and reporting requirements

A strict timeline has been set forth for each vulnerability within the catalog. It lists exploited vulnerabilities with a significant risk to the federal information systems with a requirement to remediate within 6 months, while Common Vulnerabilities and Exposures (CVE) within the next 2 weeks.

Next Steps

The Canton Group has been serving the federal government for over 20 years and has received numerous cybersecurity awards throughout this time. We are proud to have been named, by the Baltimore Business Journal, as one of the top cyber security companies for five years in a row. Let our team of experts guide you through the new directive to ensure that your federal information system is safe, secure, and up-to-date with all documented requirements.

Contact us today for a consultation >