Category: United States Director of National Intelligence

Source: US Department of Homeland Security

WASHINGTON – Secretary of Homeland Security Alejandro N. Mayorkas issued the following statement on the bipartisan national security agreement in the U.S. Senate:

“The bipartisan agreement in the Senate is tough, fair, and takes meaningful steps to address the challenges our country faces after decades of Congressional inaction.

“It would allow DHS to remove more quickly those who do not establish a legal basis to remain in the United States, reducing the time from years to months. It would expedite protection and work authorization for those with legitimate claims. It would provide flexibility to respond to changing dynamics at the border, including temporarily prohibiting border entries for certain individuals when encounters are extremely high. It also delivers much-needed resources to support and expand the DHS workforce after decades of chronic underfunding, and it further invests in technology to help prevent fentanyl from entering our country at ports of entry.

“This agreement builds on this Administration’s approach of strengthened consequences for those who cross the border unlawfully, without curtailing the development of lawful, safe, and orderly pathways for those who qualify. While it will take time to fully implement these new measures, the new enforcement tools and resources this proposal offers will further strengthen our ability to enforce the law in the months and years ahead, and we will begin implementing them as soon as it becomes law.

“I thank the bipartisan group of senators who came together over the past several months to craft this legislation. These proposals are the product of extensive negotiations and conversations. I and my DHS colleagues were privileged to provide technical and operational expertise to the Senators to ensure that these solutions are workable and effective. While the proposed legislation does not fix everything in our immigration system, these reforms are essential for making our border more secure, orderly, fair, and humane. I call on Congress to pass this bipartisan legislation, give the DHS workforce the tools and resources we need, and provide solutions that increase our border security.”

Source: US Department of Homeland Security

Earlier today, Secretary of Homeland Security Alejandro N. Mayorkas met virtually with members of the National Council of Textile Organizations (NCTO). The Council’s members are large and small companies alike that employ thousands of American workers and create jobs for people throughout the United States and the region.

NCTO members shared with Secretary Mayorkas the tremendous harm and distress that the textile industry is suffering at the hands of unscrupulous individuals and entities who create an unfair market by circumventing the operation of our nation’s free trade agreements, violating the Uyghur Forced Labor Prevention Act (UFLPA), and exploiting the de minimis shipment exception that is established in law.

In response, and given the Department of Homeland Security’s mission to protect our country against customs violations in their many forms, Secretary Mayorkas is enlisting U.S. Customs and Border Protection (CBP), Homeland Security Investigations (HSI), and other agencies and offices in DHS to increase and expedite their work in prosecuting illegal customs practices that harm the American textile industry.   

CBP has already begun to increase enforcement in this arena, including using traditional methods such as physical inspection by CBP officers, testing and analysis by CBP laboratories, textile production verification visits, and audits.  It is also increasing its capability and capacity for isotopic testing of imported goods suspected of forced labor violations. HSI’s labor exploitation investigations target employers involved in criminal activity and worker exploitation to reduce illegal employment and protect employment opportunities for the country’s lawful workforce. And, as chair of the Forced Labor Enforcement Task Force, DHS continues to work in collaboration with other agencies and the private sector to expand the UFLPA Entity List to publicly name and hold accountable bad actors that use or facilitate forced labor.

Secretary Mayorkas directed the agencies to provide him with a comprehensive enforcement action plan in 30 days, including a determination whether current trade law provides adequate authorities to solve the core issues.

“DHS will use all the tools at its disposal, including identifying suspicious transshipment practices, publicly identifying bad actors, isotopic testing, random parcel inspections, and other law enforcement efforts, in order to protect the integrity of our markets, hold perpetrators accountable, and safeguard the American textile industry,” said Secretary of Homeland Security Alejandro N. Mayorkas.

###

Source: US Department of Homeland Security

WASHINGTON – Marking the one-year anniversary of their 2023 Joint Statement, United States Secretary of Homeland Security Alejandro N. Mayorkas and European Commissioner for Internal Market Thierry Breton released the following updated joint statement on the cooperation between the United States and the European Union in the field of cyber resilience:   

“We strongly welcome the close cooperation between the United States and the European Union to secure our people, critical infrastructure, and businesses against detrimental cyber activities. In a geopolitical and technological landscape marked by the proliferation of new threats and malicious actors, it is paramount that we continue to cooperate and join forces to promote our shared values and objectives in cyberspace.

“We celebrate the broad and effectual partnership between the European Commission’s Directorate-General for Communications Networks, Content and Technology (DG CONNECT) and the United States Department of Homeland Security (DHS), as reflected in the joint workstreams introduced following our previous Joint Statement. Over the last year, these workstreams have borne robust, focused, and strategic cooperation. Notable outcomes include a commitment to compare and, where possible, align on the implementation of our cyber incident reporting requirements; intensified cooperation from our respective cybersecurity agencies following the signature of the European Union Agency for Cybersecurity-Cybersecurity and Infrastructure Security Agency Working Arrangement (ENISA-CISA); the creation of a transatlantic working group of open-source security experts; the launch of the EU-U.S. Cyber Fellowship; and other expert exchanges on topics of cyber policy such as public-private partnerships and vulnerability management.

“In light of our fruitful cooperation, this week we decided upon further cooperation to promote our shared objectives of a secure cyberspace as we face a constantly evolving threat landscape. Specifically, we committed to:

• Work together to align, to the fullest extent possible, the requirements and guidelines we issue to drive cybersecurity and reduce the compliance burden to businesses.  
  • This includes publishing a joint product comparing our cyber incident reporting frameworks for critical infrastructure, including fields of information and the timing of such reporting, so as to identify areas where we are aligned and where there are divergences.
• Our shared responsibility for the safe and secure adoption of artificial intelligence, recognizing the great potential of this rapidly developing technology.
  • This includes launching a dedicated cybersecurity workstream on the secure incorporation of Artificial Intelligence into critical infrastructure, situational awareness about the cybersecurity of AI models and applications, and collaboration on our approaches to the cybersecurity of AI across our shared mission space.
• Work bilaterally and with interagency partners to better prepare our collective responses to cyber incidents, including those that warrant rapid and effective support to like-minded countries.
  • This includes facilitating a joint scenario-based discussion to examine cyber-related crisis response mechanisms.
• Jointly advance the cybersecurity of software and hardware in critical cyber policy fields so as to best prepare public administration, businesses, and critical infrastructures for evolving future threats.
  • This includes creating or formalizing regular exchanges on open-source security, Software Bills of Materials (SBOM), and Secure-by-Design for software frameworks including as they align to efforts under the EU’s Cyber Resilience Act and broader international cooperation;
  • It also includes deepening exchanges on the cybersecurity aspects of emerging and disruptive technologies, including on topics such as Post Quantum Cryptography. 
• Continue to deepen personnel and talent exchanges to strengthen our existing efforts and better support current and future workstreams.
  • This includes continuing the 2024 EU-U.S. Cyber Fellowship program in the United States that will bring together European and American cybersecurity officials for working-level discussions on transatlantic cyber policy issues. Building on the success of this fellowship, we agreed on the need for a future exchange program whereby we will each send an expert to join one another’s teams.

“These commitments and their associated deliverables reflect the ambition expressed in the joint statement between President Biden and President von der Leyen from March 2022, which called for deeper cooperation and more structured cybersecurity information exchanges on threats, and the Joint Statement of the October 2023 EU-U.S. Summit, which called for cooperation to build a more secure cyberspace and to protect consumers and business. The deliverables are expected to be reported on at the 10^th EU-U.S. Cyber Dialogue later this year in Washington, D.C.”

###

Source: US Department of Homeland Security

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) published a Cybersecurity Advisory (CSA), Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment, detailing the agency’s key findings and activities during a Risk and Vulnerability Assessment (RVA) conducted at a healthcare and public health (HPH) organization in early 2023. The advisory also provides network defenders and software manufacturers recommendations for improving their organizations’ and customers’ cyber posture, which reduces the impact of follow-on activity after initial access.  

The CISA assessments team identified several findings as potentially exploitable vulnerabilities that could compromise the confidentiality, integrity, and availability of the tested environment. Tailored for HPH organizations of all sizes as well as for all critical infrastructure organizations, the advisory provides several recommended mitigations mapped to 16 specific cybersecurity weaknesses identified during the RVA. Also, the advisory provides three mitigation strategies that all organizations should implement: (1) Asset management and security, (2) Identity management and device security, and (3) Vulnerability, patch, and configuration management. Each strategy has specific focus areas with details and steps on how HPH entities can implement them to strengthen their cybersecurity posture.  

“Exposure of common vulnerabilities and insecure configurations can result in detrimental cyber activity for U.S. healthcare organizations, such as ransomware, data breaches, or denial-of-service. The intent of this advisory is to help organizations maintain the availability, confidentiality, and integrity of their critical healthcare and public health systems, functions, and data,” said CISA Deputy Director Nitin Natarajan. “Adversaries and criminals will continue to target organizations seen as target rich, cyber poor. To reduce the burden of cybersecurity on customers, manufacturers of HPH technology products should implement the recommended actions in the advisory that are aligned to our Principles and Approaches for Secure by Design Software white paper. Also, we strongly encourage healthcare entities and all organizations to review this advisory, implement the mitigations and enroll in our vulnerability scanning service which can further help reduce cyber risk.” 

This advisory builds on the CISA and Health and Human Services Healthcare Cybersecurity Toolkit and CISA’s Mitigation Guide for HPH Sector that were recently released. The recommended mitigations for network defenders are mapped to the Cross-Sector Cybersecurity Performance Goals (CPGs).  

The recommended actions for software manufacturers are aligned to the recently updated, Principles and Approaches for Secure by Design Software, a joint guide co-sealed by 18 U.S. and international agencies. It urges software manufacturers to take urgent steps necessary to design, develop, and deliver products that are secure by design.  

For more information and resources, HPH entities can visit CISA’s Healthcare and Public Health Cybersecurity Toolkit and Healthcare and Public Health Sector webpages.  

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

Guide encourages software manufacturers to address memory safety vulnerabilities and implement secure by design principles 

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international cybersecurity authorities from Australia, Canada, New Zealand, and the United Kingdom, published a joint guide, The Case for Memory Safe Roadmaps: Why both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously, as part of our collective Secure by Design campaign to address the critical issue of memory safety vulnerabilities in programming languages.  

Memory safety vulnerabilities are the most prevalent type of disclosed software vulnerability; they affect how memory can be accessed, written, allocated, or deallocated in unintended ways in programming languages. As the most prevalent vulnerability, software manufacturers are consistently releasing updates that their customers must continually patch. Previous attempts at solving the problem have made only partial gains, and currently, two-thirds of reported vulnerabilities in memory unsafe programming languages still relate to memory issues. 

“Research shows that roughly 2/3 of software vulnerabilities are due to a lack of ‘memory safe’ coding. Removing this routinely exploited security vulnerability can pay enormous dividends for our nation’s cybersecurity but will require concerted community effort and sustained investment at the executive level,” said CISA Director Jen Easterly. “It’s way past time for us to get serious about protecting all software customers and implement Secure by Design principles into baseline product development to eliminate these types of threats once and for all.” 

The guide strongly encourages executives of software manufacturers to prioritize using memory safe programing languages, write and publish memory safe roadmaps and implement changes to eliminate this class of vulnerability and protect their customers. Software developers and support staff should develop the roadmap, which should detail how the manufacturer will modify their software development life cycle (SDLC) to dramatically reduce and eventually eliminate memory unsafe code in their products. This guidance also provides a clear outline of elements that a memory safe roadmap should include. 

By creating a memory safe roadmap, manufacturers will signal to customers that they are embracing key Secure by Design principles of (1) taking ownership of their security outcomes, (2) adopting radical transparency, and (3) taking a top-down approach. 

With our partners, CISA encourages stakeholders, partners, and software manufacturers to review the guide and implement recommended action. To learn more about Security by Design, visit cisa.gov/SecureByDesign.  

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

CARLSBAD, Calif. – Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) held its fourth and final 2023 quarterly Cybersecurity Advisory Committee (CSAC) meeting.

During the meeting the Technical Advisory Council and Building Resilience and Reducing Systemic Risk to Critical Infrastructure subcommittees deliberated and voted on recommendations to forward to CISA Director Jen Easterly.

The recommendations voted on today focused on advancing memory safe system languages (MSSL) and separately on efforts to further strengthen operational collaboration. The recommendations supplement those voted on in the September CSAC meeting, resulting in a total of 135 recommendations submitted in 2023. Today’s recommendations will now be submitted to Director Easterly in written form and posted on CISA.gov.

“I am so pleased with the Committee’s work this year and look forward to an even more productive 2024 to help strengthen our nation’s cybersecurity,” said CISA Director Jen Easterly. “I’m especially excited to review the recommendations voted on today that will help advance CISA’s cybersecurity mission.”

Director Easterly’s responses to the recommendations will be posted on cisa.gov.  

Director Easterly also acknowledged the Committee’s new Chair, Ron Green from Mastercard, and Vice Chair, Dave DeWalt from NightDragon. Green follows outgoing inaugural Chair, Tom Fanning from Southern Company.  

“I can’t thank Tom enough for the visionary leadership that he has provided to the CSAC. As founding chair of the advisory committee, he set a course for CISA that focused on innovation and process improvement for safer and more secure critical infrastructure. I am so excited to have Ron continue to provide his insight in this new position. I have the utmost confidence that Ron and Dave will continue the amazing work of the CSAC in advancing and strengthening our nation’s cybersecurity posture,” said Easterly. 

Established in 2021, the Committee was created to provide recommendations to the CISA Director that will help to advance the cybersecurity mission of the agency as well as to strengthen cybersecurity measures across the nation.    

The next CISA CSAC meeting will be held virtually in March. Details and information on how to attend will be forthcoming.    

The agenda from today’s meeting is available here. More information on CSAC is available here.     

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

WASHINGTON – Taking a significant step forward in addressing the intersection of artificial intelligence (AI) and cybersecurity, the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) today jointly released Guidelines for Secure AI System Development to help developers of any systems that use AI make informed cybersecurity decisions at every stage of the development process.  The guidelines were formulated in cooperation with 21 other agencies and ministries from across the world – including all members of the Group of 7 major industrial economies — and are the first of their kind to be agreed to globally.

“We are at an inflection point in the development of artificial intelligence, which may well be the most consequential technology of our time. Cybersecurity is key to building AI systems that are safe, secure, and trustworthy,” said Secretary of Homeland Security Alejandro N. Mayorkas.  “The guidelines jointly issued today by CISA, NCSC, and our other international partners, provide a commonsense path to designing, developing, deploying, and operating AI with cybersecurity at its core. By integrating ‘secure by design’ principles, these guidelines represent an historic agreement that developers must invest in, protecting customers at each step of a system’s design and development.  Through global action like these guidelines, we can lead the world in harnessing the benefits while addressing the potential harms of this pioneering technology.”

The guidelines provide essential recommendations for AI system development and emphasize the importance of adhering to Secure by Design principles that CISA has long championed.

“The release of the Guidelines for Secure AI System Development marks a key milestone in our collective commitment—by governments across the world—to ensure the development and deployment of artificial intelligence capabilities that are secure by design,” said CISA Director Jen Easterly. “As nations and organizations embrace the transformative power of AI, this international collaboration, led by CISA and NCSC, underscores the global dedication to fostering transparency, accountability, and secure practices. The domestic and international unity in advancing secure by design principles and cultivating a resilient foundation for the safe development of AI systems worldwide could not come at a more important time in our shared technology revolution. This joint effort reaffirms our mission to protect critical infrastructure and reinforces the importance of international partnership in securing our digital future.”

The guidelines are broken down into four key areas within the AI system development lifecycle: secure design, secure development, secure deployment, and secure operation and maintenance.  Each section highlights considerations and mitigations that will help reduce the cybersecurity risk to an organizational AI system development process.

“We know that AI is developing at a phenomenal pace and there is a need for concerted international action, across governments and industry, to keep up,” said NCSC CEO Lindy Cameron. “These Guidelines mark a significant step in shaping a truly global, common understanding of the cyber risks and mitigation strategies around AI to ensure that security is not a postscript to development but a core requirement throughout. I’m proud that the NCSC is leading crucial efforts to raise the AI cyber security bar: a more secure global cyber space will help us all to safely and confidently realize this technology’s wonderful opportunities.”

“I believe the UK is an international standard bearer on the safe use of AI,” said UK Secretary of State for Science, Innovation and Technology Michelle Donelan. “The NCSC’s publication of these new guidelines will put cyber security at the heart of AI development at every stage so protecting against risk is considered throughout.”

These guidelines are the latest effort across the U.S.’s body of work supporting safe and secure AI technology development and deployment. In October, President Biden issued an Executive Order that directed DHS to promote the adoption of AI safety standards globally, protect U.S. networks and critical infrastructure, reduce the risks that AI can be used to create weapons of mass destruction, combat AI-related intellectual property theft, and help the United States attract and retain skilled talent, among other missions. 

Earlier this month, CISA released its Roadmap for Artificial Intelligence, a whole-of-agency plan aligned with national strategy to address our efforts to promote the beneficial uses of AI to enhance cybersecurity capabilities, ensure AI systems are protected from cyber-based threats, and deter the malicious use of AI capabilities to threaten the critical infrastructure Americans rely on every day. Learn more about CISA’s AI work.

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.

Source: US Department of Homeland Security

WASHINGTON – Today the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released its first Roadmap for Artificial Intelligence (AI), adding to the significant DHS and broader whole-of-government effort to ensure the secure development and implementation of artificial intelligence capabilities. DHS plays a critical role in ensuring AI safety and security nationwide.

Last month, President Biden issued an Executive Order that directed DHS to promote the adoption of AI safety standards globally, protect U.S. networks and critical infrastructure, reduce the risks that AI can be used to create weapons of mass destruction, combat AI-related intellectual property theft, and help the United States attract and retain skilled talent, among other missions. As part of that effort, CISA’s roadmap outlines five strategic lines of effort for CISA that will drive concrete initiatives and outline CISA’s responsible approach to AI in cybersecurity.

“DHS has a broad leadership role in advancing the responsible use of AI and this cybersecurity roadmap is one important element of our work,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The Biden-Harris Administration is committed to building a secure and resilient digital ecosystem that promotes innovation and technological progress. In last month’s Executive Order, the President called on DHS to promote the adoption of AI safety standards globally and help ensure the safe, secure, and responsible use and development of AI. CISA’s roadmap lays out the steps that the agency will take as part of our Department’s broader efforts to both leverage AI and mitigate its risks to our critical infrastructure and cyber defenses.”

“Artificial Intelligence holds immense promise in enhancing our nation’s cybersecurity, but as the most powerful technology of our lifetimes, it also presents enormous risks,” said CISA Director Jen Easterly. “Our Roadmap for AI, focused at the nexus of AI, cyber defense, and critical infrastructure, sets forth an agency-wide plan to promote the beneficial uses of AI to enhance cybersecurity capabilities; ensure AI systems are protected from cyber-based threats; and deter the malicious use of AI capabilities to threaten the critical infrastructure Americans rely on every day.”

As the nation’s cyber defense agency and the national coordinator for critical infrastructure security and resilience, CISA envisions a secure and resilient digital ecosystem for the nation that supports unparalleled innovation and significant enhancement of critical infrastructure services provided to the American public. CISA’s roadmap outlines five lines of effort: 

• Line of Effort 1: Responsibly use AI to support our mission. CISA will use AI-enabled software tools to strengthen cyber defense and support its critical infrastructure mission. CISA’s adoption of AI will ensure responsible, ethical, and safe use—consistent with the Constitution and all applicable laws and policies, including those addressing federal procurement, privacy, civil rights, and civil liberties.
• Line of Effort 2: Assess and Assure AI systems. CISA will assess and assist secure by design, AI-based software adoption across a diverse array of stakeholders, including federal civilian government agencies; private sector companies; and state, local, tribal, and territorial (SLTT) governments. Assurance will be established through the development of best practices and guidance for secure and resilient AI development and implementation, including the development of recommendations for red-teaming of generative AI.
• Line of Effort 3: Protect critical infrastructure from malicious use of AI. CISA will assess and recommend mitigation of AI threats facing our nation’s critical infrastructure in partnership with other government agencies and industry partners that develop, test, and evaluate AI tools. As part of this effort, CISA will establish JCDC.AI to catalyze focused collaboration around threats, vulnerabilities, and mitigations related to AI systems.
• Line of Effort 4: Collaborate and communicate on key AI efforts with the interagency, international partners, and the public. CISA will contribute to DHS-led and interagency efforts, including developing policy approaches for the U.S. government’s overall national strategy on cybersecurity and AI, and supporting a whole-of-DHS approach on AI-based-software policy issues. This also includes coordinating with international partners to advance global AI security best practices and principles. 
• Line of Effort 5: Expand AI expertise in our workforce. CISA will continue to educate our workforce on AI software systems and techniques, and the agency will continue to actively recruit interns, fellows, and future employees with AI expertise. CISA will ensure that internal training reflects—and new recruits understand—the legal, ethical, and policy aspects of AI-based software systems in addition to the technical aspects.

CISA’s mission sits at the intersection of strengthening cybersecurity and protecting critical infrastructure and therefore plays a key role in advancing the Administration’s goal of ensuring that AI is safe, secure, and resilient. CISA will assess possible cyber-related risks to the use of AI and provide guidance to the critical infrastructure sectors that Americans rely on every hour of every day. Additionally, CISA will work to capitalize on AI’s potential to improve U.S. cyber defenses and develop recommendations for the red-teaming of generative AI.  

CISA invites stakeholders, partners, and the public to explore the Roadmap for Artificial Intelligence and learn more about our strategic vision for AI technology and cybersecurity. To access the full Roadmap, visit cisa.gov/AI.

To learn more about DHS’s role in ensuring AI safety and security nationwide, visit DHS.gov/AI.

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 24-01 in response to observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure appliances by malicious cyber threat actors. This Emergency Directive directs all federal civilian agencies to immediately take specific actions and implement vendor mitigation guidance to these Ivanti appliances. While only binding on Federal Civilian Executive Branch agencies, CISA urges all organizations using these products to urgently implement the mitigations outlined in this Directive.

Last week, Ivanti released information regarding two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, that allow an attacker to move laterally across a target network, perform data exfiltration, and establish persistent system access. CISA has determined an Emergency Directive is necessary based on the widespread exploitation of these vulnerabilities by multiple threat actors, prevalence of the affected products in the federal enterprise, high potential for compromise of agency information systems, and potential impact of a successful compromise.

“The vulnerabilities in these products pose significant, unacceptable risks to the security of the federal civilian enterprise. As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, we must take urgent action to reduce risks to the federal systems upon which Americans depend,” said CISA Director Jen Easterly. “Even as federal agencies take urgent action in response to this Directive, we know that these risks extend to every organization and sector using these products. We strongly urge all organizations to adopt the actions outlined in this Directive.”

As federal civilian agencies implement this mandate, CISA will assess and support agency adherence and provide additional resources as required. CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies.

For more information CISA Directives, visit Cybersecurity Directives.

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.