Virtualization Technology News and Information
VMblog Expert Interviews: Axio Discusses Biden Administration Mandate to Fix Cyber Flaws


In light of the recent Biden administration orders mandating federal agencies to fix hundreds of cyber flaws, VMblog wanted to better understand and get some expert opinions and advice to learn what the orders mean for the industry.  So we reached out to David White, Founder and President of Axio, a leader in cyber risk management software.

VMblog:  Can you give us a brief overview of the Biden administration's recent orders mandating federal agencies to fix hundreds of cyber flaws?

David White:  On November 3, 2021, the Biden administration ordered a mandate stating that all federal agencies are required to patch cybersecurity vulnerabilities that are considered "major risks."  The binding operational directive (BOD) issued by the Cybersecurity and Infrastructure Security Agency (CISA) gives federal agencies six months to address over 300 security vulnerabilities which date back to 2014 and are itemized in a published catalog (  The directive applies to most civilian federal agencies, but some exceptions exist for military-run networks under management of the Department of Defense and the intelligence community.  In addition, recently-identified vulnerabilities from 2021 are required to be remediated within two weeks. 

VMblog:  Is this a step in the right direction for the Department of Homeland Security?

White:  Because federal civilian agencies and critical infrastructure operators are a frequent target for attackers who exploit these commonly-known vulnerabilities, emphasis on remediation will significantly improve resistance to cyber attacks.  The DHS directive re-establishes a back-to-basics focus on the improvement of cyber hygiene and the need to reduce known risk by improving the time-to-remediate.  Longer times-to-remediate result in an increased and unnecessary exposure to risk (especially ransomware risk), giving attackers more time to perfect their attack vectors and find organizations that have failed to adequately reduce gaps in their cybersecurity defenses. 

VMblog:  What implications will this order (if any) have on the private sector?

White:  The directive focuses on security vulnerabilities commonly found in infrastructure that are not only used by federal civilian agencies, but by industry and, more specifically, critical infrastructure operators.  As a result, the urgency with which this directive has been issued should be seen as a wake-up call for industry to focus attention on closing known exploitable gaps in their cybersecurity defense.  Indeed, Axio's recently published 2021 State of Ransomware Preparedness Report indicates that slightly more than 50% of organizations reported at least quarterly scanning for vulnerabilities and only 32% required critical vulnerabilities to be patched within 24 hours.  Additionally, only 47% of organizations reported that they remediated all identified vulnerabilities with a known potential for compromise. 

Our view is that industry and critical infrastructure should follow DHS's lead in renewing their attention to identifying and patching security vulnerabilities in a timely manner.  Using the CISA catalog is an excellent benchmark from which to determine if an organization is currently exposed. 

VMblog:  Do you think that organizations will adopt this directive and prioritize fixing vulnerabilities listed in the CISA public catalog?

White:  The tacit acknowledgement that federal civilian agencies are exposed, and the specific details of the exposures as cataloged, significantly increases the urgency to fix known vulnerabilities.  While meant to inspire a call-to-action, the publication of the catalog also reveals the specific exposures that federal agencies have failed to address,thereby potentially attracting the attention of attackers who likely have ready-to-go means and methods to exploit these exposures.  This should be an additional catalyst to act quickly. 

VMblog:  Why haven't these vulnerabilities been previously patched?

White:  Improving federal cybersecurity has long been a focus of White House and DHS efforts.  Findings from the May 2018 Federal Cybersecurity Risk Determination Report and Action Plan indicate several challenges that may impede timely vulnerability and patch management.  In this report, agencies were found to have poor situational awareness of their threat environment and were characterized as deficient in having sufficient resources allocations to combat current threats.  Additionally, the lack of software and application standardization, poor network monitoring and visibility, legacy technology and operating systems, and a lack of standardized  cybersecurity risk management and accountability for poor outcomes are likely key contributors to less-than-effective vulnerability management programs that should be designed to meet or exceed patching mandates dating back to 2015. 

VMblog:  Why are some agencies better at performing vulnerability patches than others?

White:  Our guess is that some agencies-particularly the less complex and better resourced ones-have the resources to attend to critical vulnerabilities and/or a smaller catalog of vulnerabilities.  But, this would be a complete assumption on our part.  However, it's easy to conceive that the Social Security Administration and the Small Business Administration have very different operating environments and, therefore, different threat profiles. This would understandably make vulnerability management more difficult in one environment in comparison with the other.

VMblog:  Would it be better if the patch management program was centralized instead of maintained by the agencies separately?

White:  The success of a patch management program is often dictated by operating conditions and the complexity of infrastructure.  Vulnerability management as a foundational cybersecurity practice remains one of the more difficult activities to do well as it requires not only a large labor investment, but also highly coordinated orchestration across information technology departments and business users.  Done poorly, vulnerability remediation can cause operational interruptions and sometimes requires walk-back actions to back out patches that need additional planning.  Vulnerability remediation in some ways mimics the code development process in that a proper approach requires planning, testing, implementation, and monitoring-and when there are hundreds (if not thousands) of vulnerabilities that need attention, this can be a challenging task.

As a result, the vulnerability management and patching process is unique to an agency's specific infrastructure and operating constraints, and therefore a one size fits all approach is likely to run into challenges and may not significantly improve success.  For that reason, agencies should continue with their own patching programs and assess and consider major process improvements if they are unable to meet previously-established mandates from 2015, which require patching critical vulnerabilities within one month of public disclosure, and the 2019 expansion, which includes high-severity fixes as well. 

VMblog:  Will this mandate ensure adoption of patch best practices moving forward?

White:  The mandate will certainly improve focus on critical and high-severity vulnerabilities, and it provides agencies the opportunity to focus on an ever-increasing backlog.  However, new vulnerabilities are identified every day and the backlog will continue to grow without a specific emphasis on improving the vulnerability management process.  This includes not only redefining the process, but also ensuring adequate resourcing.  In some cases, because the vulnerability management process requires adequate testing before remediation fixes are committed to implementation, meeting remediation timelines for critical vulnerabilities in the future will be difficult without significant process changes.  

VMblog:  Is the timeline outlined doable?

White:  Without significant process changes and a commitment to dedicated resources it is likely that addressing the catalog of vulnerabilities (some of which date back to 2014) will remain a significant challenge, especially vulnerabilities that must be remediated in a two-week time period.  

VMblog:  Is there anything else that the administration should consider?

White:  While the order prioritizes known-exploited vulnerabilities, more aggressive remediation efforts are still necessary. Any vulnerabilities identified prior to 2021 are required to be remediated within 6 months, while those identified in 2021 and later must be remediated within 2 weeks.

It's a step in the right direction for DHS to issue federal orders in alignment with  directives that apply to the private sector. However, the 2-week requirement for federal IT systems is still more lenient than the 7-day requirement recently issued by DHS-TSA, which applies to private-sector. Consistency in remediation timelines would assist DHS in moving away from voluntary standards and lax federal compliance schemes to more stringent and timely requirements backed by enforcement.

VMblog:  How does Axio fit into the new order?

White:  Axio's SaaS product, Axio360, enables organizations to understand their cybersecurity posture and their associated cyber risk in financial terms. Cybersecurity assessments in Axio360 are a great way to understand gaps and drive improvement in an organization's vulnerability management process. Cyber risk quantification in Axio360 is a powerful tool for understanding the risk reduction that would result from an investment to improve patch management. Some Axio360 subscribers have used cyber risk quantification in Axio360 to secure off-cycle funding for patching improvements. Axio360 enables security and business leaders to focus on risks that matter most.


Published Wednesday, November 17, 2021 7:29 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2021>