The Cybersecurity and Infrastructure Security Agency (CISA) released a new round of supplemental guidance on Jan. 6 to the emergency directive that the agency issued on Dec. 13, 2020, providing remediation guidance in response to the Russia-backed hack of more than 18,000 government and private sector systems via SolarWinds Orion products.
The guidance update “requires (1) agencies that ran affected versions conduct forensic analysis, (2) agencies that accept the risk of running SolarWinds Orion comply with certain hardening requirements, and (3) reporting by agency from department-level Chief Information Officers (CIOs) by Tuesday, January 19, and Monday, January 25, 2020.”
The due dates for guidance compliance appear to be in error, and should refer to 2021, rather than 2020.
The remediation guidance is aimed at Federal government agencies, which are required to comply with CISA’s emergency directives. CISA noted that the guidance does not apply to Defense Department, intelligence agency, or other “national security systems.”
The latest guidance, CISA said, supersedes the Emergency Directive (ED) 21-01 supplemental guidance version one and two issued on Dec. 18 and Dec. 30, along with some of the required actions in the original version. “All other provisions of ED 21-01 remain in effect,” CISA said.
The guidance update features extensive information about affected versions of SolarWinds software, categorization of network exposure including attacks that involved only “initial beaconing activity” as well as “follow-on threat actor activity,” conditions for agencies that continue operating affected SolarWinds Orion products, and Federal systems hosted in cloud environments.
On the cloud service front, CISA said it is “working closely with FedRAMP to coordinate the response to ED 21-01 with FedRAMP Authorized cloud service providers (CSPs).”
FedRAMP Authorized CSPs have been informed to coordinate with their agency customers,” CISA said, adding that the agency is “also aware of third parties providing services for federal information systems subject to ED 21-01 that may not be covered by a FedRAMP authorization.”
“Each agency is responsible for inventorying all their information systems hosted in third-party environments (FedRAMP Authorized or otherwise) and contacting service providers directly for status pertaining to, and to ensure compliance with, ED 21-01,” CISA said. “If instances of affected versions have been found in a third-party environment, reporting obligations will vary based on whether the provider is another federal agency or a commercial provider,” the agency said.