The role of CISA
President Biden signed the Executive Order on Improving the Nation’s Cybersecurity. The mandate details his administration’s plans to improve the country’s digital infrastructure in order to address “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”
Biden stated, “Cybersecurity requires more than government action. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector…to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
Since then, the US president and Cybersecurity and Infrastructure Security Agency, or CISA, has steadily followed through with plans to implement new mandates intended, hone regulations, and improve the nation’s security posture.
CISA was established in 2018 under the Trump administration. CISA leads national efforts to bolster US digital infrastrucure. Headed by Jen Easterly, CISA has been prolific in the cybersecurity space—mandating Binding Operational Directive (BOD) 22-01 and creating the Known Exploited Vulnerabilities Catalog (KEV). In addition, CISA has released numerous security advisories and joint reports detailing commonly exploited vulnerabilities used by Advanced Persistent Threats and other threat actors.
Here is a collection of Flashpoint’s coverage regarding the Biden Administration’s and CISA’s cybersecurity initiatives:
May 2023: CISA releases draft for secure software development
On May 1, 2023, CISA announced that proposed guidance for secure software development is now open to public review and opinion. For 60 days, the public can provide feedback on the draft for the self-attestation form. Government software providers are required to confirm they have implemented specific security practices.
The proposed draft was made in line with the requirements of Memorandum M-22-18. Per requirements, federal agencies can only use specific software that the developer has attested compliance with government-issued guidance on software supply chain security.
This guidance will apply to:
- Software produced after September 14, 2022
- Software-as-a-service products and other software receiving continuous code changes
- Existing software when a major change or changes occur
November 2022: Iranian APT compromises federal network
On November, 16, 2022, CISA reported that in June and July 2022 it provided incident response services to an unnamed Federal Civilian Executive Branch (FCEB) organization. The suspect appeared to be an Iranian APT group. Investigations show that this organization may have been compromised as early as February 2022.
Threat actors exploited the Log4Shell vulnerability (CVE-2021-44228) on an unpatched VMware Horizon server. The threat actors then moved laterally within the system.
CISA has yet to attribute this activity to a specific group. Flashpoint has seen two Iranian APT groups exploit Log4Shell in the past: APT35 and MuddyWater.
October 2022: CISA releases Joint CSAs detailing threat actor activity
CISA and the Federal Bureau of Investigation (FBI) recently released a Joint Cybersecurity Advisory (CSA) designed to assist organizations in preventing Distributed Denial-of-Service Attacks (DDoS). In this report, CISA advises that Internet of Things (IoT) devices such as home internet routers can pose a high risk due to poor security and their difficulty to patch.
Federal agencies released a joint advisory identifying twenty of the top vulnerabilities that have been actively exploited by Chinese state-sponsored cyber actors since 2020.
August 2022: H.R. 7900 and SBOM mandates
The US House of Representatives passed H.R. 7900 – National Defense Authorization Act for Fiscal Year 2023, and section 6722 could have serious impacts on the security industry and beyond. We break down H.R. 7900—the bill that requires companies working with the DoD to provide a Software Bill of Materials (SBOM) and patch all known vulnerabilities.
Cyber attacks like Log4Shell have led the Biden administration to work closely with security experts, as well as the Cybersecurity and Infrastructure Security Agency (CISA) to produce government resources and legislation intended to improve the United States’ security posture.
June 2022: Security advisories detail threats posed by APTs
The US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) released an advisory outlining the different tactics, techniques, and procedures (TTPs), particularly common vulnerabilities and exploits (CVEs), that Chinese state-sponsored cyber-enabled actors are utilizing to attack and exploit entities and individuals abroad.
Biden Signs State and Local Government Cybersecurity Act Into Law: Establishes Rotational Cyber Workforce
President Biden signed two cyber-related bills into law on June 21, both of which aim to bolster the cybersecurity capabilities at—and across—various government entities.
CISA and United States Coast Guard Cyber Command (CGCYBER) warned that nation-state hackers are still exploiting Log4Shell (CVE-2021-44228), specifically targeting unpatched, internet-facing VMware Horizon and Unified Access Gateway servers.
May 2022: CISA Joint CSAs and ongoing KEV activity
CISA’s Joint Cybersecurity Advisory: Protecting Your Organization From Vulnerabilities – and 29,000 Other Known Exploits
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Joint Cybersecurity Advisory identifying the fifteen most exploited vulnerabilities in 2021. Among them, Log4Shell (CVE-2021-44228) was the most used by threat actors.
In May 2022, the Cybersecurity & Infrastructure Security Agency (CISA) added five “new” vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog. Three of the entries were originally disclosed in 2014, including the infamous Heartbleed vulnerability (CVE-2014-0160).
March 2022: BOD 22-01, KEV Catalog, and Shields Up
Binding Operational Directive (BOD) 22-01 is a significant directive that impacts many organizations—especially those that support US government agencies.
BOD 22-01 and the KEV Catalog is a major shift from the traditional views of vulnerability management. While most vulnerability management frameworks place emphasis on severity scores, they do not provide context into whether an issue has actually been used in-the-wild.
Shields Up: Understanding Guidance From the Biden Administration About Possible Russian Cyberattacks
On March 21, the Biden Administration and CISA announced the Shields Up campaign. Urging the private sector to take steps to protect their systems against potential cyber attacks from Russia, given their ongoing invasion of Ukraine. This follows a warning from CISA that organizations outside of Ukraine could potentially be caught in the crosshairs of Russian Advanced Persistent Threat (APT) groups.
Remediate vulnerabilities with Flashpoint
Federal agencies will need comprehensive vulnerability intelligence to secure critical digital infrastructure and maintain national security. However, publicly available sources such as CVE/NVD may not provide proper visibility since they fail to report over 96,000 known vulnerabilities. Flashpoint’s VulnDB covers over 300,000 vulnerabilities affecting IT, OT, IoT, and third party libraries and dependencies—benefiting all organizations, including the private sector. Improve your security posture by signing up for a free trial today.