US Govt Agencies Told to Patch Vulnerabilities, While Aussie Govt Agencies Ignore Cybersecurity Targets

Giulio Saggin
Giulio Saggin
Tuesday 28 November 2023
US Govt Agencies Told to Patch Vulnerabilities, While Aussie Govt Agencies Ignore Cybersecurity Targets
Washington, United States

On Nov. 3, 2021, the US's Cybersecurity and Infrastructure Security Agency (CISA) issued a compulsory directive to federal, executive branch, departments and agencies, stating that all vulnerabilities needed to be patched ASAP.

Vulnerabilities assigned prior to 2021 need to be patched within six months and all others i.e. 2021 and into the future, have to be patched within two weeks. If there is a "grave risk to the Federal Enterprise", these timelines will change. Currently there are more than 400 vulns listed on the CISA Known Exploited Vulnerabilities Catalog.

It's good to see firm action taking place, although you may wonder why 'so late'? Major cyber attacks occur almost on a daily basis and have been increasing yearly. Then again, Government(s) move slowly and it will be interesting to see if, and how many, of these entities comply. Perhaps the fact that the US is the most targeted nation by cyber attack will lead to action. Still, this directive has been published for a reason.

Government's around the world also have similar cybersecurity standards in place for their departments, agencies and the like.

The UK Government published its 10 steps to cyber security in 2012, with many references to vulnerabilities ("address known vulnerabilities promptly"), and followed this up in 2018 with its Minimum Cyber Security Standard, which contains 10 measures, one of those being "Vulnerability Management".

The Australian Government's cybersecurity program began in 2010, with a list of 35 strategies aimed at helping government departments and entities reduce the risk of cyber intrusions. That list was narrowed down to the "top four cyber mitigation strategies" in 2013, and then four more were added - including vulnerability management - in 2017 to form the Essential Eight.

Unfortunately, compliance with both the Top Four and Essential Eight has been lacking at both federal and state level. In 2019, nearly a decade after the federal cybersecurity program was introduced, 25 Commonwealth entities were assessed and none achieved the recommended maturity level for the Essential Eight. All were found to be vulnerable to cyber threats.

In Oct. 2021, government departments in New South Wales, Australia's most populous state, were found to be severely lacking in their Essential Eight compliance, leading the state's auditor-general to comment: "Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. There has been insufficient progress to improve cyber security safeguards across NSW Government agencies."

While Australia isn't as targeted (by cyber attacks) as the US and UK, the fact that the national Parliament House was the subject of a state-sponsored cyber attack in February, 2019, should have caused alarm bells to ring throughout all levels of government. But nearly three years on, complacency remains.

Hopefully the new directive from CISA will see US government agencies be more proactive.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.


SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203