Collaborate Disseminate
While CISA says the catalog is catching on, some think it needs improvement.
The post How CISA’s list of “must-patch” vulnerabilities has expanded in both size, and in who’s using it appeared first on CyberScoop.
The Cybersecurity and Infrastructure Security Agency is ordering federal agencies to patch nearly 300 known, exploited vulnerabilities in a directive published Wednesday. It’s a change from past practice for Binding Operational Directives from the Department of Homeland Security’s main cyber wing. The orders have focused more frequently on one major vulnerability at a time, or have directed agencies to set up broader policies addressing subjects like establishing vulnerability disclosure programs. As rationale, the agency pointed to issues in Microsoft Exchange technology that suspected Chinese hackers seized upon to target victims worldwide in early 2021. Under the order, agencies must patch vulnerabilities from a CISA-created catalog by dates that range from two weeks for flaws observed this year to six months for those prior. Further, agencies must build a process for fixing such vulnerabilities on an ongoing basis in the future. CISA said the directive is a response to its belief […]
The post CISA tells agencies to fix hundreds of software flaws, prep for future vulnerabilities appeared first on CyberScoop.
Out of scores of federal civilian agencies, only a handful of them have official programs to work with outside security researchers to find and fix software bugs — a process that is commonplace in the private sector. Now, to put an end to the feet-dragging, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is giving agencies six months to set up the programs, known as vulnerability disclosure policies (VDPs). CISA on Wednesday issued a directive requiring agencies to establish VDPs that foreswear legal action against researchers who act in good faith, allow participants to submit vulnerability reports anonymously and cover at least one internet-accessible system or service. It’s the latest sign that federal officials are warming to white-hat hackers from various walks of life. “We believe that better security of government computer systems can only be realized when the people are given the opportunity to help,” CISA Assistant Director […]
The post CISA orders agencies to set up vulnerability disclosure programs appeared first on CyberScoop.
Continue reading CISA orders agencies to set up vulnerability disclosure programs
The Department of Homeland Security’s cybersecurity division is trying something new. Instead of simply ordering civilian agencies to take a specific action to shore up their cybersecurity, it is asking the public to weigh in on the order first. On Wednesday, DHS’ Cybersecurity and Infrastructure Security Agency issued a draft Binding Operational Directive (BOD) that compels civilian agencies to establish programs to work with outside security researchers to find and fix software flaws in agency websites and applications. The appeal for public input is in the collaborative spirit of vulnerability disclosure policies (VDP), which crowdsource an organization’s security by asking ethical hackers to improve it. VDPs are common in the private sector, but much too rare in government for DHS’s taste. When CyberScoop first reported last month that CISA had prepared the directive, officials estimated that, out of scores of civilian agencies, just 10 had VDPs in place. “[I]t’s the public […]
The post DHS issues draft order to require vulnerability disclosure policies at civilian agencies appeared first on CyberScoop.
Department of Homeland Security officials could in the coming months issue an order that would require federal civilian agencies to establish vulnerability disclosure programs that allow independent researchers to find flaws in agency websites and software applications, multiple officials told CyberScoop. DHS is mulling the release of a Binding Operational Directive (BOD), an authority that compels agencies to get their security houses in order. The measure would be a response to the lack of federal progress on vulnerability disclosure programs (VDPs). Such programs are commonplace in the private sector as they allow resource-strapped organizations to tap outside security expertise, or at least allow the public to flag a security issue before it is found by hackers with malicious intent. Out of scores of civilian agencies, less than 10 have VDPs in place, according to officials at DHS’s Cybersecurity and Infrastructure Security Agency. “Agencies have not implemented vulnerability disclosure in a consistent fashion,” said Matt Hartman, an […]
The post DHS is mulling an order that would force agencies to set up vulnerability disclosure programs appeared first on CyberScoop.
The Department of Homeland Security has ordered federal civilian agencies to more swiftly plug the vulnerabilities found on their networks, citing evidence that hackers are getting quicker at exploiting such bugs. In a Binding Operational Directive (BOD) dated April 29, DHS’s Cybersecurity and Infrastructure Security Agency gives agencies 15 days after discovery to fix vulnerabilities deemed critical – as opposed to the 30 days that agencies previously had to address those flaws. “Recent reports from government and industry partners indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today’s adversaries are more skilled, persistent, and able to exploit known vulnerabilities,” reads the memo from CISA Director Chris Krebs. The new directive also gives agencies 30 days to fix vulnerabilities labeled “high” in severity, which are a step below critical. That is another change from a 2015 order, now revoked, which did not provide a […]
The post New DHS order pushes agencies to quickly patch vulnerabilities appeared first on CyberScoop.
Continue reading New DHS order pushes agencies to quickly patch vulnerabilities
Despite a looming deadline, over a quarter of federal agencies are still not using basic email security tools. ` Continue reading DMARC Compliance Lacking in 28 Percent of .Gov Agencies
Russian anti-virus maker Kaspersky Lab is suing the U.S. government for its decision to ban the company’s software in federal agencies and departments, according to an open letter written by company founder Eugene Kaspersky. Citing a lack of due process and insufficient evidence relating to the Department of Homeland Security’s Binding Operational Directive (BOD) 17-01, Kaspersky is claiming the U.S. government violated the Administrative Procedures Act and the Fifth Amendment. The Administrative Procedures Act controls how administrative agencies can propose and establish regulations, requiring organizations to provide “substantial evidence” for their decisions if questioned by a U.S. court. In September, DHS ordered civilian agencies to remove Kaspersky Lab from their computers within 90 days via the directive. Although the process had been ongoing for some time, the ban was then codified into law last week when U.S. President Donald Trump signed the National Defense Authorization Act (NDAA). The lawsuit represents […]
The post Kaspersky Lab takes U.S. government to court over federal software ban appeared first on Cyberscoop.
Continue reading Kaspersky Lab takes U.S. government to court over federal software ban