Security News > 2021 > November > US government orders federal agencies to patch 100s of vulnerabilities
In the latest effort to combat cybercrime and ransomware, federal agencies have been told to patch hundreds of known security vulnerabilities with due dates ranging from November 2021 to May 2022.
In a directive issued on Wednesday, the Cybersecurity and Infrastructure Security Agency ordered all federal and executive branch departments and agencies to patch a series of known exploited vulnerabilities as cataloged in a public website managed by CISA. SEE: Patch management policy.
All agencies are being asked to work with CISA's catalog, which currently lists almost 300 known security vulnerabilities with links to information on how to patch them and due dates by when they should be patched.
With its own catalog, CISA is trying to remove some of the complexity for government agencies by listing which vulnerabilities are considered critical and actively being exploited, along with how they can be patched and by when.
"It's no longer up to individual agencies to decide which vulnerabilities are the highest priority to patch. The positive outcome to expect here is that agencies will address these vulnerabilities more effectively with this guidance. There's also a risk that this approach won't account for nuances in how risk is assessed for each agency, but there's plenty of evidence that such nuances aren't being accounted for now either."
Agencies must set up a process by which it can patch the security flaws identified by CISA, which means assigning roles and responsibilities, establishing internal tracking and reporting and validating when the vulnerabilities have been patched.