CISA to require federal agencies to patch some cyber vulnerabilities within 3 days

A new Cybersecurity and Infrastructure Security Agency (CISA) directive requires federal civilian agencies to patch certain cyber vulnerabilities within three days as part of a prioritization system that seeks to address the heightened threat environment posed by the rise of artificial intelligence.

The new binding operational directive, released Wednesday, includes four criteria for assessing the seriousness of a vulnerability.

The criteria are whether the vulnerability is exposed to the public internet, whether the vulnerability is listed in the known exploited vulnerabilities (KEV) catalog, whether the exploit can be automated and what level of control an adversary will have over a vulnerable system due to the malicious activity, CISA Acting Executive Assistant Director for Cybersecurity Chris Butera said during a call with reporters.

Federal agencies will now need to patch vulnerabilities that meet three of those four criteria within 72 hours. CISA is giving agencies 180 days to adopt the new patching time frame, according to the directive.

Specifically, the three-day timeline will apply to currently exploited vulnerabilities that can be automated and would give malicious actors some control over systems facing the internet.

When agencies determine that hackers can use a vulnerability to take complete control of a system, they will be required to examine systems to gauge whether they have been compromised and patch within three days.

Agencies will have up to two weeks to patch vulnerabilities that meet the above criteria but are not automatable as long as a threat actor has not taken full control of a system.

The directive also mandates that agencies check when and how a vulnerable system was compromised before patching.

“Applying a patch generally does not evict a threat actor,” a CISA press release said. 

CISA is strongly urging state, tribal and local governments as well as critical infrastructure owners and operators to adopt similar vulnerability management regimes.

“This new directive expedites and prioritizes the cyber defense of civilian federal government information systems, prioritizing IT and security operations’ attention on the most at-risk assets,” Butera said. “It's particularly important now, given advancements in artificial intelligence, which allow threat actors to find and exploit vulnerabilities in these assets.”

“Defenders cannot afford to take weeks to patch systems that can be autonomously exploited in mass,” Butera added.

‘Good runway’

It is unclear how easy it will be for strapped federal agencies — many of which do not have advanced cyber expertise in house — to triage threats to assess whether they meet the four criteria. It is also unclear how possible it will be for them to complete patching within three days, a faster speed than has been required to date.

But CISA believes agencies should be able to do their work in three days, Butera said, and will support agencies that need help executing within the tight time frame.

“On the forensic triage piece, we do understand that some of this is going to be a newer step for some of the federal agencies to do,” Butera said. “We do have the ability to assist with triage analysis, for example, but we also gave the agencies a good runway to implement some of the new vulnerability management processes.”

CISA has analyzed how often federal agencies are contending with threats that meet three of the four criteria and require a patch within 72 hours. At one federal agency CISA studied, only 1% of vulnerabilities required patching within three days while more than 60% were less serious, requiring patching only at the time of the next system update.  

“CISA is empowering federal civilian agencies to focus their efforts on the areas of highest risk and defer patching lower priority vulnerabilities,” Acting CISA Director Nick Andersen said in a statement. “This directive provides clear definitions, timelines, and criteria that enhances transparency, predictability and agencies’ resource planning to execute more effective vulnerability remediation.”

Also on Wednesday, Sen. Mark Warner (D-VA) introduced legislation that directs CISA to collaborate with industry and regulators to modernize cybersecurity defense.

“As AI continues to rapidly evolve, we must ensure our cybersecurity defenses keep up with the threats of the moment,” Warner said in a statement.