The U.S. Cybersecurity and Infrastructure Security Agency is requiring federal government agencies to patch cyber vulnerabilities more quickly and by priority.

“Defenders cannot afford to take weeks to patch systems that can be autonomously exploited in mass,” CISA Acting Executive Assistant Director for Cybersecurity Chris Butera said in a June 10 news conference. “Ultimately, this new framework of patching smarter, not harder, ensures that federal civilian agencies address the most critical of vulnerabilities and fast.”

The operational directive, issued June 10, applies to federal civilian executive branch agencies, which include:

• The Department of the Treasury, which did not respond to multiple requests for comment;
• The FDIC, which declined to comment;
• The Federal Reserve Board, which told FinAi News that it would follow the directive and implement any necessary changes; and
• The Office of the Comptroller of the Currency, which did not respond to multiple requests for comment.

Agencies were required to set up a patch prioritization protocol by mid-June.

“AI has transformed cybersecurity for both defenders and attackers,” Anton Dahbura, co-director of the Johns Hopkins Institute for Assured Autonomy and executive director of the Johns Hopkins University Information Security Institute, told FinAi News. “It enables faster detection of threats, automated incident response and identification of anomalies across massive datasets. At the same time, attackers use AI to generate sophisticated phishing campaigns, create convincing deepfakes and automate malware development.”

“The result is an accelerating arms race in which AI increasingly determines both the speed and sophistication of cyber offense and defense.” — Anton Dahbura, co-director, Johns Hopkins Institute for Assured Autonomy, and executive director, Johns Hopkins University Information Security Institute.

Determining patch timelines

CISA established the Known Exploited Vulnerabilities (KEV) list in 2021 to help federal agencies determine which patches should be expedited and which could wait. The new directive further categorizes KEVs and non-KEVs to help agencies prioritize timely patches. CISA determined the urgency of vulnerability remediation based on whether:

• The vulnerable hardware or software is publicly exposed;
• A bad actor can automate all the steps necessary to exploit the vulnerability; and
• A bad actor, if successful in the attack, can gain partial or total control of the vulnerable hardware or software.

Affected agencies must establish a process immediately and set internal tracking and reporting requirements.

Agencies must also remove Cyber Hygiene source IP addresses from blocklists. CISA’s free Cyber Hygiene service scans agencies’ systems for vulnerabilities — but only if agencies haven’t accidentally blocked its source IPs. All government agencies use Cyber Hygiene.

Prioritizing vulnerabilities

In one unnamed federal agency analyzed by CISA, just 1% of vulnerabilities needed patching within three days — while more than 60% could wait for the next scheduled update, Butera said.

With better patch prioritization, agencies can focus their efforts where it is most needed.

“If vulnerabilities can be weaponized in a day or a week, even waiting 30 days to do a critical patch — which has been typically what regulation has mandated — that’s far too long, and so we have to rethink that,” Troy Leach, chief strategy officer at the nonprofit Cloud Security Alliance, told FinAi News.

Register here for the FinAi Lending Summit, set for Oct. 7-8 in Las Vegas.