In September 2020, I warned of the lack of preparedness for federal agencies to meet CISA's Binding Operational Directive (BOD) to establish Vulnerability Disclosure Programs (VDPs). Without established processes to fix bugs, or even apply patches for well-known vulnerabilities, the gaps in people, process, and technology to meet these objectives will come back to bite us in the national security end.
It seems CISA has had time to absorb the realities of the lack of infrastructure and maturity across the federal government in basic cyber hygiene, such that the agency just had to issue an explicit new BOD establishing deadlines for remediation of a handful of vulnerabilities that have actively been exploited by criminals and state actors, some of them several years old. CISA is also giving federal agencies 60 days to establish a process by which they will keep up with basic patching on an ongoing basis.
While this will certainly help, it is long overdue. I publicly warned of this gap not only in September of last year both here and later in my opinion piece in The Hill, but also during my Congressional testimony in May 2021 on supply chain risk in the wake of the Solarwinds attacks, and my first Congressional testimony on the Uber data breach and abuse of their bug bounty program to try to bury the breach in 2018.
Despite the newest directive to patch some vulnerabilities within 2 weeks, many older vulnerabilities are being given an additional grace period of up to 6 months to apply those patches – which is absolutely bizarre. Headline-making vulnerabilities that led to breaches like Equifax’s from 2017 should not be ok to leave unpatched in federal systems until May 2022.
It is time to take process preparation for vulnerability management seriously, and not make it up as we go along, with steps completed out of order, hoping for the best.
Federal agencies and other organizations should come talk to the only company offering expert process, staffing, and policy guidance to comprehensively support their vulnerability management and disclosure process. Let’s not give our adversaries more time to exploit our weaknesses. For more of my thoughts, check out this NPR interview.