Hackers sponsored by China are targeting federal agencies, technology companies and critical infrastructure sector organizations with a new type of malware affecting Linux, VMWare kernel and Windows environments that may be difficult to detect and eradicate.
The Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Canadian Centre for Cyber Security are strongly advising organizations take steps to scan systems for BRICKSTORM using detection signatures and rules; inventory all network edge devices; monitor edge devices for suspicious network connectivity and ensure proper network segmentation. The organizations released a malware analysis report to help organizations combat the threat.
Nick Andersen is CISA’s executive assistant director for cybersecurity.
“BRICKSTORM underscores the grave threats that are posed by the People’s Republic of China to our nation’s critical infrastructure. State sponsored actors are not just infiltrating networks, they are embedding themselves to enable long term access, disruption and potential sabotage. That’s why we’re urging every organization to treat this threat with the seriousness that it demands,” said Nick Andersen, CISA’s executive assistant director for cybersecurity, during a call with reporters today. “The advisory we issued today provides indicators of compromise (IOCs) and detection signatures to assist critical infrastructure owners and operators in determining whether they have been compromised. It also gives recommended mitigation actions to protect against what is truly pervasive PRC activity.”
CISA says BRICKSTORM features advanced functionality to conceal communications, move laterally and tunnel into victim networks and automatically reinstall or restart the malware if disrupted. Andersen said CISA became aware of the threat in mid-August and it’s part of a “persistent, long-term campaigns of nation state threat actors, in particular those that are sponsored by the People’s Republic of China, to hold at risk our nation’s critical infrastructure through cyber means.”
The malware has impacted at least eight organizations, including one where CISA provided incident response services to. Andersen wouldn’t say how many of those eight were federal agencies or which ones have been impacted.
“This is a terribly sophisticated piece of malware that’s being used, and that’s why we’re encouraging all organizations to take action to protect themselves, and if they do become victims of it or other malicious activity, to report it to CISA, so we can have a better understanding of the full picture of not just where this malware is being employed, but the more robust picture of the wider cyber threat landscape,” Andersen said.
New way to interact with industry
Since January, CISA has issued 20 joint cybersecurity advisories and threat intelligence guidance documents with U.S. allies, including the United Kingdom, Canada, Australia and New Zealand, as well as with our other international partners.
“Together, we’ve exposed nation-state sponsored intrusions, AI enabled ransomware operations and the ever evolving threats to critical infrastructure,” Andersen said.
Along with the warnings and analysis about BRICKSTORM, CISA also launched a new Industry Engagement Platform (IEP). CISA says it’s designed to let the agency and companies share information and develop innovative and security technologies.
“The IEP enables CISA to better understand emerging solutions across the technology ecosystem while giving industry a clear, transparent pathway to engage with the agency,” CISA said in a release. “The IEP allows organizations – including industry, non-profits, academia, government partners … and the research community – with a structured process to request conversations with CISA subject matter experts to describe new technologies and capabilities. These engagements give innovators the opportunity to present solutions that may strengthen our nation’s cyber and infrastructure security.”
CISA says while participation in the IEP does not provide preferential consideration for future federal contracts, it serves as a channel for the government to gain insight into new capabilities and market trends.
Current areas of interest include:
Information technology and security controls
Data, analytics, storage, and data management
Communications technologies
Any emerging technologies that advance CISA’s mission, including post-quantum cryptography and other next-generation capabilities
Andersen said while the IEP and related work is separate from the BRICKSTORM analysis, it’s all part of how CISA is trying to ensure all organizations protect themselves from the ever-changing cyber threat.
“The threat here is not theoretical, and BRICKSTORM underscores the grave threats that are posed by the People’s Republic of China to our nation’s critical infrastructure,” he said “We know that state sponsored actors are not just infiltrating networks. They’re embedding themselves to enable the long term access disruption and potential sabotage that enables their strategic objectives, and that’s why we continue to urge every organization to treat this threat with serious demands.”
FILE - This Feb 23, 2019, file photo shows the inside of a computer. Three former U.S. intelligence and military operatives have agreed to pay nearly $1.7 million to resolve criminal charges that they provided sophisticated hacking technology to the United Arab Emirates. A charging document in federal court in Washington accuses them of helping develop “advanced covert hacking systems for U.A.E. government agencies.” (AP Photo/Jenny Kane, File)
The Federal Communications Commission is set this week to vote on reversing cybersecurity rules for telecommunications providers that were put forward following the sweeping “Salt Typhoon” hacks.
The FCC’s meeting on Thursday includes plans to consider an order to rescind a ruling and proposed rules published in the waning days of the Biden administration. The January ruling requires telecom operators to secure their networks under Section 105 of the Communications Assistance for Law Enforcement Act.
But current FCC Chairman Brendan Carr argues that ruling “exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats.”
The proposed order would rescind the January ruling and withdraw proposed cybersecurity rules for telecom operators.
Instead, the FCC “should instead continue to pursue an agile and collaborative approach to cybersecurity through federal-private partnerships that protect and secure communications networks and more targeted, legally sound rulemaking and enforcement,” according to a factsheet on the order of reconsideration.
‘Worst’ hack ever
The Salt Typhoon campaign was revealed in 2024. It involved penetrating hacks into U.S. telecom networks and others across the globe. The hackers were reportedly able to target the communications of political figures and government officials, including then-candidate Donald Trump and running mate JD Vance.
U.S. officials have said Chinese-government sponsored hackers are behind the campaign. Senate Intelligence Committee Ranking Member Mark Warner (D-Va.) has described it as “the worst telecommunications hack in our nation’s history.”
The Cybersecurity and Infrastructure Security Agency has since said the Salt Typhoon campaign overlapped with global threat activities targeting multiple sectors, including telecommunications, government, transportation, lodging, and military infrastructure networks.
“While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks,” CISA wrote in a September advisory. “These actors often modify routers to maintain persistent, long-term access to networks.”
In rolling out the January rules, Biden administration officials argued they represented a “critical step to require U.S. telecoms to improve cybersecurity to meet today’s nation state threats, including those from China’s well-resourced and sophisticated offensive cyber program.”
However, the FCC’s current leadership says the rules misinterpreted the law and “unnecessarily raised and purported to resolve issues that were not appropriate for consideration in the absence of public input.” The FCC’s factsheet also references the commission’s “recent engagement with providers and their agreement to take extensive steps to protect national security interests.”
In an October letter to the FCC, lawyers representing several telecom associations argued that the January ruling “would significantly undermine” public-private partnerships. They argued that telecom providers had voluntarily collaborated with federal agencies to investigate Salt Typhoon and adopted stronger cybersecurity measures.
Warner and Sen. Ron Wyden (D-Ore.) are also pressing the Department of Homeland Security to release an unclassified 2022 report on security vulnerabilities in the U.S. telecom sector. They argue that by not releasing the report, DHS is undermining public debate over how to best secure telecom networks in the wake of Salt Typhoon.
“The Salt Typhoon compromise represents one of the most serious espionage campaigns against the communications of U.S. government leaders in history, and highlighted important gaps in our nation’s communications security – in some cases, with providers ignoring basic security precautions such as credential re-use across network appliances and failure to adopt multi-factor authentication for highly privileged network administrator accounts,” Warner and Wyden wrote in a recent letter to DHS and the Office of the Director of National Intelligence.
Meanwhile, the House on Monday passed the “Strengthening Cyber Resilience Against State-Sponsored Threats Act.” The bill would establish a joint interagency task force to address China-linked cyber threats, including Salt Typhoon. The task force would be led by CISA, with involvement from the Justice Department, the FBI and several sector-risk management agencies.
FILE - This June 19, 2015, file photo, shows the Federal Communications Commission building in Washington. The Federal Communications Commission has issued a $6 million fine against the political consultant who sent AI-generated robocalls mimicking President Joe Biden’s voice to voters ahead of New Hampshire’s presidential primary. Steve Kramer also faces two dozen criminal charges in New Hampshire. Kramer has admitted orchestrating the message sent to thousands of voters. (AP Photo/Andrew Harnik, File)
Congress has temporarily extended a landmark cyber information sharing law, but industry representatives and cyber experts are urging lawmakers to act quickly to enact a more long-term solution.
The continuing resolution signed into law Wednesday night extends the provisions of the Cybersecurity Information Sharing Act of 2015 through the end of January. The law had expired Oct. 1.
CISA 2015 provides privacy and liability protections to encourage companies to share data about cyber vulnerabilities and threats. Cybersecurity leaders say those protections provide a critical underpinning to facilitate collaboration across government and industry.
Despite the temporary reprieve, the path forward for a long-term CISA 2015 extension in Congress remains unclear, with divergent reauthorization bills in the House and the Senate.
The White House has called for a “clean” 10-year reauthorization of CISA 2015. But Senate Homeland Security and Governmental Affairs Committee Chairman Rand Paul (R-Ky.) has opposed efforts to move forward such a bill in the Senate.
The long-term extension of the information sharing law, meanwhile, remains a chief concern for the technology industry.
Mike Flynn, senior vice president of government affairs for the Information Technology Industry Council, called the short-term extension “a step in the right direction.”
“Without a long-term CISA 2015 fix, cybersecurity stakeholders will continue to face uncertainty and questions that will undermine the network of information-sharing organizations and programs that have been built over the last decade,” Flynn said in a statement.
Henry Young, senior director of policy at BSA The Software Alliance, said he hopes to see a “sense of urgency” in Congress to extend the law long term.
“While we’re pleased that the law is hopefully going to be extended, we remain concerned that if the CR lapses, we’ll return to a world where cybersecurity information sharing is slowed or stopped, and that really leaves everyone at risk,” Young told Federal News Network.
CISA 2015 lapses
When the law lapsed Oct. 1, some cyber policy experts worried industry would stop sharing information about cyber threats affecting their products or networks.
But Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said information sharing between government and industry was “holding steady” through the end of October.
The cooperation “is a testament to CISA’s reputation that it’s built up and our ability to have long-term collaboration tools,” Andersen told reporters at the Palo Alto Networks public sector conference in Tysons Corner, Va., on Oct. 30.
“I hate to see what’s going to continue to happen, though, after we get past the shutdown and we start having these longer conversations with the vendor ecosystem,” Andersen added.
While companies continued to share information during the lapse, Young said the process slowed down.
“It started to slowly reintroduce the legal review into each one of these individual decisions, which isn’t going to necessarily stop all information sharing, but is going to slow it, and it also might reduce it in increments,” Young said.
“People wanted to work together and continue to share information, and they did, to some extent, but it also created more risk for them to do,” he added.
Cynthia Kaiser, former deputy director of the FBI’s cyber division and now senior vice president of Halycon’s Ransomware Research Center, said the lapse showed the need for a long-term solution to reauthorizing the law.
“It’s critical that protecting cybersecurity information sharing is considered a priority in Congress upon the government’s reopening in order to maintain a strong national security posture,” Kaiser said.
Debate in Congress
While Congress has just over two months to extend the law, the path forward for reauthorization remains murky.
In September, the House Homeland Security Committee passed the Widespread Information Management for the Welfare of Infrastructure and Government Act. The bill was led by Homeland Security Committee Chairman Andrew Garbarino (R-N.Y.).
Garbarino’s bill would extend the CISA 2015 protections for another 10 years, while updating definitions to account for advances in artificial intelligence. It would also require the Department of Homeland Security to improve its outreach on emerging cyber threats.
In a statement released after the House passed the CR, Garbarino called for reauthorizing multiple expired DHS authorities, including CISA 2015.
“With the federal government reopening, I look forward to continuing this Committee’s important work alongside our colleagues in both the House and Senate to find long-term solutions for reauthorizing these vital DHS authorities, bolster our nation’s cyber defenses, maintain President Trump’s secure borders, and ensure the safety of America’s skies and the traveling public,” Garbarino said.
It’s unclear, however, if and when Garbarino’s bill will be called for a vote on the House floor.
In the Senate, meanwhile, Homeland Security and Governmental Affairs Committee Ranking Member Gary Peters (D-Mich.) and Sen. Mike Rounds (R-S.D) have put forward a bill that would extend CISA 2015 for an additional 10 years without modifying the provisions in the law.
“This short-term extension is an important stopgap, but it is set to expire in just two months unless we pass bipartisan legislation to provide more long-term certainty,” Peters said in a statement. “That’s why I’m pushing to pass my Protecting America from Cyber Threats Act with Senator Rounds, which would renew these critical protections for a full decade so that companies know they can count on them in the event of a cyberattack.”
A HSGAC aide said Peters “remains committed to getting this across the finish line and will continue working with colleagues across the aisle to make sure these protections are fully restored.”
However, Paul has blocked efforts to pass a “clean” CISA 2015 extension. He has pledged to oppose any efforts to reauthorize the law unless it prohibits the Cybersecurity and Infrastructure Security Agency from working on future disinformation efforts.
Paul has said the agency’s work in that area infringed on free speech rights. Cyber experts counter that reauthorizing the CISA 2015 law has nothing to do with CISA the agency’s work on disinformation. The cyber agency does rely on the law to undergird its collaboration with industry on cyber threats.
Officials have also lamented how the shared names between the information-sharing law and the cyber agency has muddied the waters in the debate over reauthorizing the law.
“They happen to share that same acronym, which is a fluke,” White House National Cyber Director Sean Cairncross said at the Palo Alto Networks conference last month.
A key question is whether the White House will throw its weight more forcefully behind any congressional efforts to reauthorize the bill. In public comments, Trump administration officials have advocated for a 10-year reauthorization without further modifications to the law.
“It’s a common-sense law,” Cairncross said. “The White House is pushing for a 10-year, clean reauthorization of this authority. It’s something that we want to see done. It’s important to national security and it fosters the sort of collaboration, not only amongst the private sector, but between the public and private sector that’s vital.”
The longstanding CyberCorps program is at a crossroads, as scholars struggle to find internships, jobs and support during the Trump administration’s governmentwide hiring freeze.
The CyberCorps: Scholarship for Service program is funded by the National Science Foundation and administered through the Office of Personnel Management. The program provides scholarships for up to three years to support an undergraduate or graduate student. In return, CyberCorps students agree to serve in government for a period of time equal to their scholarship.
The program has provided federal agencies with a steady pipeline of much-needed cyber talent since it was established in 2000.
But this year, CyberCorps scholars are struggling to find any open opportunities after the Trump administration instituted a governmentwide hiring freeze for most positions in February. The White House recently extended that freeze indefinitely.
Some CyberCorps scholars had received tentative job or internship offers that were revoked or paused with little explanation. Cyber-related opportunities at federal agencies have largely dried up, especially for entry-level positions, amid the hiring freeze and downsizing at agencies like the Cybersecurity and Infrastructure Security Agency.
Several students are now staring down the possibility of having to pay back their scholarships if they can’t find qualified work. CyberCorps participants are typically required to start a qualifying job within 18 months of graduating.
More than 250 current students and CyberCorps alumni have now organized to share information and press the administration for more information on the future of the program and their job prospects, according to multiple scholars involved in the group. Multiple scholars said that OPM has had little communication with them about the major changes in the federal hiring landscape.
“Many scholars feel we are being strongly armed into unwillingly owing the government hundreds of thousands of dollars for failing to find work with them, when the government is the one cutting jobs, slashing budgets, and eliminating roles we were intended to fill,” one student told Federal News Network.
In a statement, OPM Director Scott Kupor said “bringing top cybersecurity and AI talent into the federal government are critical to our national security.”
“OPM is committed to the success of SFS and is working closely with the National Science Foundation to ensure CyberCorps participants are supported during this challenging time,” Kupor said. “Once the shutdown ends, we will issue guidance to agencies encouraging them to fully leverage the program to bring these highly skilled professionals into public service.”
A spokeswoman for OPM added that “no scholars have been sent to repayment.”
“After the shutdown ends, OPM will collaborate with NSF on a mass deferment to give graduates more time to secure qualifying positions and further guidance to encourage agencies to make use of the SFS program for their hiring needs,” the spokeswoman said.
But CyberCorps scholars say they have a lot of questions about the plan for deferring their post-scholarship employment requirements, given that few federal jobs are available beyond those geared toward immigration enforcement and other Trump administration priorities.
Federal News Network spoke with five CyberCorps scholars about their experience with the program and the challenges they’ve encountered this year. They were granted anonymity because they fear retaliation for speaking out.
Scholar 1 is graduating with a master’s degree in 2026; Scholar 2 is graduating with a bachelor’s degree in December 2025; Scholar 3 is graduating with a master’s degree in December 2025; Scholar 4 graduated in May 2024 with a cybersecurity degree; and Scholar 5 is graduating with a master’s degree in August 2026.
(These conversations were edited for length and clarity.)
FNN: Why did you join CyberCorps, and what do you hope to do as far as government service?
Scholar 1:“The principal investigator of CyberCorps at my school told me about CyberCorps while I was finishing my undergrad degree. I wanted to pursue cybersecurity and data privacy. My PI pitched it to me as, get a free degree and get excellent work experience, and actually do stuff I think is valuable, rather than just working in industry. . . .
I wanted to work with CISA. I’m really interested in critical infrastructure and passionate about securing rural infrastructure, making people conscious of cybersecurity and how it affects them.”
Scholar 2: “I have experience working with the government. I served in the Air National Guard in a technical role. . . . I also had the opportunity to work in an internship with the federal government, and that’s when I discovered programs like CyberCorps.
Having that familiarity with the hands-on experience inspires me and encourages me to keep learning . . . I’m not specifically interested in any particular agency, but anywhere there’s an opportunity in the federal government . . . more or less keeping the bad guys out. I view it as a puzzle.”
Scholar 3: “I chose my entire university based on this scholarship. . . . I’ve been looking for ways to break into cybersecurity for a few years. The CyberCorps program was heavily recommended online. And I also had relatives who worked in government. I just wanted to give back to my community.
I worked an internship at CISA in the summer of 2024. . . . I wanted to work at CISA. I had verbal offers to come back. In my internship, I got full marks. . . . I wanted to find work in protecting critical infrastructure and just wanted to serve my country.”
Scholar 4: “For me it was a chance to serve my country outside of active duty service. I was consistently encouraged to apply by another military-affiliated student. . . I did research while I was in the program. I’m interested in secure software engineering and embedded systems security. I appreciate the ability to blend two different fields together.
I went in with the mindset of, I’m going to be open to all the possibilities that are coming my way. I didn’t want to pigeonhole myself with a specific agency. I wanted to get an interview with an agency and see how their culture worked. I was open to computer science roles, as well as cybersecurity roles.”
Scholar 5: “Initially, I had entered college with medical school in mind. . . . Ultimately, I was able to finish a bachelor’s in computer science, and helping people was still at the forefront of my mind. At the end of the day, that’s why I joined CyberCorps – I thought it would be a gateway to a fulfilling, lifelong career in public service.
I’ve had my eyes set on a position with the Air Force Civilian Service. To me, there isn’t a job in this field that would be more meaningful than working alongside our troops to protect American interests.”
FNN: What challenges have you encountered with the CyberCorps program over the past year?
Scholar 1: “I had interviews with CISA and MITRE for internships. . . Everything was looking fantastic from my perspective. This all happened prior to the January 2025 job fair. That was the first week of January, right before the inauguration.
Afterward, there was no contact. Most of my applications and things I had applied for, they still say it’s in processing or being reviewed. They haven’t been rejected. They’ve been permanently paused.”
(OPM in a recent email told CyberCorps scholars to “get creative” with their job search.)
Scholar 1: “The NSF doesn’t really communicate. It’s mostly through OPM – they just said keep trying, keep looking. They’ve even encouraged us to look out for non-federal agencies. In the ‘get creative’ email, they specifically say to widen our search to state and local governments and nonprofits, when just months prior, they were all but forbidding us from doing that.”
Scholar 2: “Everybody is suffering, because not only are there barely any jobs … but if there are any, we now have to compete with people who are displaced from the shutdown or got let go. All that has made it hard.
It’s very sad to me, because when people are curious about this program, I’m telling them to not do it, because I don’t want to feel like I’m screwing them over by having them sign a contract and then if they can’t find a job, they’re on the hook for hundreds of thousands of dollars in debt.”
Scholar 3: “Getting any kind of response at all has been difficult, even before the government shutdown. When the hiring freeze went into action, the 250 to 300 of us now in same situation couldn’t get any responses. We were emailing OPM and SFS – we either got no response, or a response that said, ‘get scrappy.’
I got two tentative offers. I had the first offer come in just before the freeze, and I accepted it. When freeze started, my would-be supervisor at CISA said, ‘Hey, hold on.’ . . . But then the supervisor told me they were probably leaving CISA. The other offer was with another agency. That tentative offer is still there, for an internship last summer.”
Scholar 4: “I had been proactive in securing two tentative job offers before I graduated. I made my choice and got started on the clearance process as soon as I could. . . . I kept checking in with the agency for updates. When I asked for guidance on the timeline with OPM, they told me it could take up to a year. . . . I was told by sponsoring agency that they wouldn’t send a firm job offer or interim until my clearance was fully determined.
Around January of this year, they ceased all communications with me.”
Scholar 5: “Communication has been infrequent, lackluster and untimely. . . . Historically, OPM has not allowed private internships to count towards our summer internship requirement. They decided to bend the rules this summer. Sounds great, but my cohort wasn’t informed until late spring. By that time, it was entirely too late to secure an internship with a private company for that summer.”
FNN:How have those challenges changed your career outlook and view of public service? And with OPM recently announcing plans for a ‘mass deferment’ of SFS deadlines, what questions or concerns do you continue to have about the future of CyberCorps and your prospects for finding approved work after graduation?
Scholar 1: “We appreciate the rapid response, especially in light of the shutdown, and are thankful for the first piece of substantial information that’s come out of the SFS office in months. Although we are grateful for the acknowledgement from OPM, their statement has still left hundreds of people concerned about their future. Post-shutdown deferments will do little to help our situation – our biggest blocker is the crusade against federal hiring and public sector cybersecurity overall. We have legitimate concerns and reservations, that are validated by the lack of communication and support that’s been received over the past ten months. Thank you for the response. Please, let’s keep this conversation going.”
Scholar 2: “We would be more comfortable if there were more flexibility. There are a lot more opportunities working the same role, but as a private contractor working for the government. In the past, they’d say no, you can’t be a private contractor. They’d want you to be a federal employee. But with the job freeze, it feels like that’s the only way.
If there are no jobs, they’re not upholding their end of the contract. . . The general consensus is that there needs to be more transparency. We just want to have a simple conversation with OPM to see what they can do, not just with the deferment but with flexibility.”
Scholar 3: “We should be doing everything we can to encourage and attract talent. I’ve met some of the smartest people I had ever met in my life through this program, who don’t know what to do and are looking at going private rather than doing what they originally intended.”
(Federal job applications now include essay questions asking how candidates would “advance the President’s executive orders and policy priorities.” Federal employee unions are suing the Trump administration over those questions.)
Scholar 3: “I used to say I don’t care what administration I serve. I wanted to serve my neighbors. But these questions aren’t framed around serving the country. It’s serving a person.
I saw one role I wanted to apply to two weeks ago. When I saw those loyalty questions, I sat there and thought, I don’t have the ability to go through this right now. I didn’t want to put that on my plate.”
Scholar 4: “The first question a lot of us would have is, what’s the time frame? How much time are they actually allotting us? Even if we’re given additional time, if I can’t get a clearance or we get another freeze and they’re not able to process that, it further puts a halt on this process, and I’m left in the same situation.
Even once you secure a job, you have to maintain the job. That goes for a new hire when you’re in the probation period, assuming you don’t get laid off then. I think it just puts additional stress and strain on us mentally.
I don’t think people are considering that factor and OPM hasn’t provided any true reassurance.”
Scholar 5: “I have now started the process of commissioning as an officer with the Navy. My family worries that I’m choosing this path because I feel like I have no other way out — and truthfully, it’s hard for me to parse through my own thoughts on the matter; however, I am choosing to remain excited about the prospect.”
Corporate security manager identifies a potential insider threat in a line-up of eight white collar workers. Hacker or spy icon lights up purple. Cybersecurity and human resources challenge concept.
Government cybersecurity leaders know all too well that traditional pentesting is complex and doesn’t scale. The need to quickly resource up in order to effectively identify, triage and remediate vulnerabilities has become increasingly critical and, for most, a compliance requirement.
Synack empowers government agencies with on-demand, continuous pentesting, pairing the platform’s vulnerability management and reporting capabilities with a diverse community of vetted and trusted researchers to find the vulnerabilities that matter.
Synack also helps government security teams achieve the most effective vulnerability management possible to satisfy Binding Operational Directive (BOD) 22-01’s identification, evaluation and mitigation/remediation steps. The Synack approach also facilitates detailed vulnerability reporting that the agency can easily hand off to CISA if desired.
Let’s quickly review what BOD 22-01 mandates, and how federal agencies can achieve compliance with help from Synack.
CISA Binding Operational Directive 22-01—Reducing the Significant Risk of Known Exploited Vulnerabilities
Recent data breaches, most notably the 2020 cyber attack by Russian hackers that penetrated multiple U.S. government systems, have prompted the federal government to improve its efforts to protect the computer systems in its agencies and in third-party providers doing business with the government. As part of the process to improve the security of government systems, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 22-01.
CISA Directive 22-01 directs federal agencies and contractors to what they are required to do regarding the detection of and remediation for known exploitable vulnerabilities. The scope of this directive includes all software and hardware found on federal information systems managed on agency premises or hosted by third parties on the agency’s behalf. Required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.
Directive 22-01 Compliance Requirements
In addition to establishing a catalog of known exploited vulnerabilities, Directive 22-01 establishes requirements for agencies to remediate these vulnerabilities. Required actions include:
Establishment of 1) a process for ongoing remediation of vulnerabilities and 2) internal validation and enforcement procedures
Setting up of internal tracking and reporting
Remediation of each vulnerability within specified timelines
Identify reports on vulnerabilities that are actively exploited in the wild.
Evaluate the system to determine if the vulnerability exists in the system, and if it does, how critical it is. If the vulnerability exists, determine if it has been exploited by said system.
Mitigate and Remediate all exploited vulnerabilities in a timely manner. Mitigation refers to the steps the organization takes to stop a vulnerability from being exploited (e.g. taking systems offline, etc.) and Remediation refers to the steps taken to fix or remove the vulnerability (e.g. patch the system, etc.).
Report to CISA. Reporting how vulnerabilities are being exploited can help the government understand which vulnerabilities are most critical to fix.
Evaluating Vulnerabilities with Synack
Synack finds exploitable vulnerabilities for customers through its unique blend of the best ethical hackers in the world, specialized researchers, a managed VDP, and the integration of its SmartScan product. SmartScan uses a combination of the latest tools, tactics and procedures to continuously scan your environment and watch for changes. It identifies potential vulnerabilities and engages the Synack Red Team (SRT) and Synack Operations to review suspected vulnerabilities. The SRT is a private and diverse community of vetted and trusted security researchers, bringing human ingenuity to the table and pairing it with the scalability of an automated vulnerability intelligence platform.
If a suspected vulnerability is confirmed as exploitable, the SRT generates a detailed vulnerability report, with steps to reproduce and fix the vulnerability. Vulnerabilities are then triaged so that only actionable, exploitable vulnerabilities are presented – with severity information and priority information.
Mitigating and Remediating Vulnerabilities with Synack
Once the Synack team of researchers has verified the exploitability of the vulnerability, it leverages its expertise in understanding your applications and infrastructure. From that point, and in many cases, the SRT is able to recommend a fix with accompanying remediation guidance for addressing the vulnerability. And Synack goes one step further, verifying that the remediation, mitigation, or patch was implemented correctly and is effective.
Reporting to CISA
Synack’s detailed vulnerability reporting and analytics offer insight and coverage into the penetration testing process with clear metrics that convey vulnerability remediation and improved security posture.
Comply with CISA Directive 22-01 with Help from Synack
CISA continues to add exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog, and federal agencies are expecting urgent CVEs to pop up in the not-too-distant future. The recent rush to address the log4j vulnerability will come to mind for many. The Synack Red Team can aid organizations by rapidly responding to such situations.
To secure your agency’s attack surface and comply with the CISA Directive 22-01, a strong vulnerability management strategy is essential. The Synack solution combines the human ingenuity of the Synack Red Team (SRT) with Disclose (the Synack-managed VDP), along with the scalable nature of SmartScan, to continuously identify and triage exploitable vulnerabilities across web applications, mobile applications, and host-based infrastructure. Synack takes an adversarial approach to exploitation intelligence to show the enterprise where their most business-critical vulnerabilities are and how those vulnerabilities can be exploited by adversaries.
Login
