The direction was issued by the Cybersecurity and Infrastructure Security Agency (CISA), and it essentially assigned due dates ranging from November 2021 to May 2022. CISA is urging all federal agencies and organizations to resolve certain known and exploited vulnerabilities during this timeline. There are some notable exceptions for national security-related infrastructures, though.
The catalog of known, exploited vulnerabilities is located on CISA’s website. This catalog contains information on each known vulnerability, and all of them (around 300 or so) are all believed to pose some kind of threat to the federal government. The catalog also links to NIST database entries for guidance on how to apply these patches and resolve these vulnerabilities.
This is obviously a huge undertaking and one that could lead to miscommunications, confusion, and more throughout the patching process. This is especially true when you consider that each department is responsible for deploying their own updates and are only accountable to CISA. Even so, CISA is applying pressure on these organizations to meet specific criteria within a timeframe.
This timeline varies, but within 60 days, agencies must review and update their policies on vulnerability management, and these new policies must be made available to CISA upon request. Agencies must also have a policy in place for carrying out the directive issued by CISA. Organizations must identify who is responsible for this, as well as how they plan to track and report on the implementation process.
If you think patch management is difficult for governments, then imagine how difficult it can be for small businesses with more limited spending power and fewer resources at their disposal. SMBs tend to patch vulnerabilities when they have the time and resources to do so rather than when they need to be deployed, which is not the correct approach. For each day you don’t resolve a vulnerability, you are giving hackers countless opportunities to break into your network.
Aspire can help your business with patch implementation and update deployment. We can make this process automatic and easy to take advantage of. You’ll find that there are countless benefits to freeing yourself from the worries associated with technology management and maintenance, and trust us when we say you’ll never have to worry about patches or updates again.
To learn more, reach out to us at (469) 7-ASPIRE.
