Contents:
CISA pushes for stronger security requirements to safeguard sensitive personal and government-related data from foreign adversaries.
The need to implement Executive Order 14117, signed by President Biden in February 2024, is what triggered the Cybersecurity and Infrastructure Security Agency’s (CISA) proposal.
Once the new set of security requirements is approved, it will impact:
- AI developers
- cloud service providers
- telecommunication firms
- health and biotech organizations
- financial institutions
- defense contractors
What are CISA’s new security requirements?
In its new publication on Proposed Security Requirements for Restricted Transactions, America’s Cyber Defense Agency included advisories regarding patch management, privileged access management, homomorphic encryption, and encryption keys storage.
Here are some of the most important new CISA recommendations to protect sensitive data:
- Patch known exploited vulnerabilities (KEVs) in less than 14 calendar days. Critical severity known vulnerabilities that are not yet exploited should be closed in 15 calendar days’ time. High severity ones can wait for 30 calendar days.
- Enforce multifactor authentication (MFA) on all covered systems. If applying MFA is not feasible on a certain instance, the passwords should be extremely strong, with a recommended length of 16 or more characters.
- Update asset inventory monthly, with IP addresses and hardware MAC addresses
- Revoke access immediately when a privileged access user terminates or changes roles
- Log access sessions and store them safely
- Create, review and update yearly an incident response plan applicable to covered systems
Can you patch KEVs in less than 14 days?
One of the challenges that CISA’s proposed requirements raises is fast patching. This year’s Data Breach Investigation Report (DBIR) says
it takes around 55 days to remediate 50% of those critical vulnerabilities (KEVs) once their patches are available.
also
enterprise patch management cycles usually stabilize around 30 to 60 days as the viable target, with maybe a 15-day target for critical vulnerability patching.
Source – DBIR 2024
So, the CISA’s newly proposed requirements raise an already hard to reach bar for IT teams in charge with vulnerability management.
Its recommendation for updating the asset inventory each month is another time and resource consuming task.
Both requirements are, however, understandable. DBIR also observed
a substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach when compared to previous years
Source – DBIR 2024
It might sound impossible, but there’s an easy way to get both timely patching and up to date asset inventory with only a few clicks. Heimdal’s Patch & Asset Management tool helps you cover both. It allows you to unify updates for Microsoft Windows, Apple MacOS, Linux Ubuntu, and more.
Here’s what James Reed, Technical Director at iTeam Solutions, recently shared about his experience with Heimdal’s Patch & Asset Management:
Patch management is absolutely the most important thing that we did with Heimdal straightaway. We decided that it was a tool that we would deploy immediately for all our clients across the board, Mac and Windows. It standardized, it allowed us to maintain control of our agents, our endpoints, and most importantly, secure our clients.
The tool supports over 200 applications, tests, sanitizes and safely deploys patches in less than 4 hours, anytime, anywhere.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube.