U.S. Cybersecurity Agencies Move to Protect Critical Data Infrastructure
By November 15, 2021 0 186•
Do you remember the series of high-profile infrastructure attacks against critical U.S. sectors earlier this year? Well, now the United States government is taking matters into its own hands by ordering the patching of various vulnerabilities in affected systems. It’s a massive effort to thwart hackers and other cyberthreats from taking root in vulnerable homeland systems.
Issued by the Cybersecurity and Infrastructure Security Agency (CISA), this directive requires all federal agencies and organizations to resolve a series of known, exploited vulnerabilities during this timeframe — with some notable exceptions for national security-related infrastructures — by a range of due dates, from Nov. 2021 through May 2022.
The CIA’s website (at: https://www.cisa.gov/known-exploited-vulnerabilities-catalog) even categorizes these known, exploited vulnerabilities. The catalog includes all sorts of information on each known vulnerability, and all of them (around 300 or so) are believed to pose some sort of risk to the federal government. It also contains links to the National Institute for Science and Technology (NIST) database for guidance on how to apply patches and resolve these vulnerabilities.
This is a massive cybersecurity undertaking and one that will inevitably lead to some confusion as patches are deployed and administered — especially since each of the departments is responsible for deploying their own updates and are only accountable to CISA. That said, CISA is putting some pressure on these organizations to meet specific objectives and requirements within a set amount of time.
The timeline for deploying these patches and updates varies, but within 60 days, agencies must review and update their policies on vulnerability management. These policies and procedures must then be furnished upon request. Agencies must also have a policy in place for deploying the directive from CISA, a process that does not comes without complexities: organizations will have to identify who is responsible for what, as well as how they’ll plan to track and report on the implementation process.
Patch management can be difficult for governments, but it’s even more challenging for small businesses that don’t have the seemingly limitless spending power and other resources afforded to larger organizations and enterprises. Instead of resolving issues that need to be resolved, small and mid-size businesses (SMBs) tend to get around to patching things only when they have the time and staffing to do so. This is not the correct approach, however, as every day you wait to patch vulnerabilities on your system is another day that hacking operations can exploit them.
Computerware can make the patch implementation process easy. We can automatically or remotely deploy patches and security updates to your organization’s hardware and software solutions without an on-site visit.
To learn more, go to: https://www.cwit.com/blog, or reach out to us at (703) 821-8200.
Alan Edwards, CISM, is chief information officer at Computerware, Inc., in Vienna, Virginia.