The government's cybersecurity watchdog is increasingly issuing emergency instructions to agencies for handling high-risk vulnerabilities, something analysts say reflects both CISA's stature and the environment its working in.
Hours after warning that government agencies have been affected by vulnerabilities found in a piece of virtual private networking software, the Cybersecurity and Infrastructure Security Agency issued its third emergency directive in five months to civilian federal agencies.
The new directive instructs agencies to repeatedly run a tool on all devices using Pulse Connect Secure products that checks for issues associated with exploits allegedly being used by a hacking campaign with links to the Chinese government.
If the tool does not detect an issue, agencies should continue to run it daily until a patch is developed or apply a workaround mitigation. CISA also wrote that it is coordinating its response with FedRAMP, the government's program to provide a standardized security assessment for cloud products and services.
"Each agency is responsible for inventorying all their information systems hosted in third-party environments (FedRAMP Authorized or otherwise) and contacting service providers directly for status updates pertaining to, and to ensure compliance with, this directive," according to CISA.
"If instances of affected versions have been found in a third-party environment, reporting obligations will vary based on whether the provider is another federal agency or a commercial provider," the directive continues.
Federal agencies are required to submit a status report to CISA by Friday and CISA plans to provide a follow-on report to the Homeland Security secretary and director of the Office of Management and Budget by May 10.
The vulnerabilities, and attribution to Chinese government, were reported in an April 20 blog post by FireEye, which identified two separate campaigns both exploiting weaknesses in Pulse Secure products. The threat actors so far have targeted U.S. defense contractors as well as unspecified European organizations, according to the cybersecurity firm.
The new emergency directive is the third since December 2020 when the agency initially became aware of the intrusion involving SolarWinds, followed by a second in March when Microsoft announced several zero-day vulnerabilities were being exploited in its Exchange products being run on-premise.
By comparison, according to CISA's website, the agency and its predecessor only issued four directives throughout fiscal year 2020 prior to SolarWinds, and in most cases less than three directives per year prior to 2020.
Tatyana Bolton, a former CISA official and now policy director of the Cybersecurity and Emerging Threats program at the R Street Institute, said the uptick in directives is indicative of the agency gaining confidence as the country's cybersecurity watchdog.
"With the elevation of CISA through the Cyberspace Solarium Commission, more funding in the recent COVID bill, and its growing stature, CISA now feels more confident to put out directives that will protect greater swaths of our federal networks," she said.
Matt Hayden, formerly a senior Department of Homeland Security official and now a vice president at Exiger, said the number of directives reflects a new, faster cadence of serious cybersecurity emergencies that are becoming visible following the initial detection of malware in SolarWinds.
CISA looks "at that measuring stick of are we putting out too many alerts versus is this something so critical that hits our watermark for an emergency directive?" Hayden said.
"The three so far in 2021, and the numerous ones in 2020, all met that threshold, which puts us in a precarious position where vulnerabilities are becoming more sincere, and more drastic for the government networks, as well as for critical infrastructure that rely on them," he continued.