Executive Viewpoint

Biden Administration Directs Federal Agencies to Patch Known Vulnerabilities

VMware continues to assist public organizations in their defense against cyberattacks

Today, the Biden administration ordered nearly all federal agencies to patch hundreds of cybersecurity vulnerabilities that are known to be exploited, where patches are available. This directive is one of the first actions taken by the Cybersecurity and Infrastructure Security Agency (CISA) and its Joint Cyber Defense Collaborative (JCDC), of which VMware is a member. 

VMware values its long-standing strategic partnership with the federal government and our federal partners in helping to combat cyber and ransomware attacks. As the foundation for critical infrastructure in today’s connected world, VMware brings a unique perspective to the JCDC. With cyberattacks growing in sophistication and frequency, VMware is committed to demonstrating transparency, security accountability, and collaboration with the JCDC, CISA and other federal agencies.  

Hardening government systems is paramount to improve the security ecosystem and defend cyberspace globally. We must provide the tools that federal agencies need to protect themselves and draw upon VMware’s level of visibility into the threats that put the federal government at risk. We commend CISA for partnering with the private sector to bring more attention to known exploited vulnerabilities where patches are available, and to encourage immediate action.  

CISA’s catalog of known exploited vulnerabilities can be found hereWe urge both the public and private sector to apply the available patches immediately. Vulnerability management is critical to protect both infrastructure and industry from threats ranging from ransomware to supply chain attacks. Any critical system that is out of date is a meaningful security risk. VMware publishes our own security advisories here as part of our responsibility to customers and stakeholders 

In addition to hardening and patching to keep systems up to date and consistently maintained, improved cyber hygiene is imperative for any security program. Some basic principles of cyber hygiene on the journey toward Zero Trust include: 

  1. Multi-factor Authentication: Verify users and system components using multiple factors (not just simple passwords) and according to the risk associated with the requested access or function. 
  2. Least Privilege: Allow users only the minimum necessary access needed to perform their job and nothing more. System components should be allowed only the minimum necessary function required. 
  3. Micro-segmentation: Divide the whole IT environment into smaller parts to make it more manageable to protect and contain the damage if one part gets compromised. 
  4. Encryption: Encrypt all data, whether stored or transmitted. In the event of a data breach, critical files should only result in unreadable data. 
  5. Behavior-based Approaches: Implement behavior-based approaches for prevention, detection and response. The new breed of sophisticated attacks will not be addressed with legacy anti-malware solutions. Attacks that leverage legitimate software, like the SolarWinds breach, require behavior-based approaches for prevention, detection, and response. 

As we lead the way in making cybersecurity an inherent and distributed part of our infrastructure, we are honored to team up with CISA to proactively address and defend against the growing wave of cyberattacks on US organizations and government agencies.