CISA Emergency Directive 24-01
On Friday, January 19, 2024, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 24-01, “Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities” (the Emergency Directive). The Emergency Directive states the following:
CISA has observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions, hereafter referred to as “affected products.” Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.
CISA has determined these conditions pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action. This determination is based on widespread exploitation of vulnerabilities by multiple threat actors, the prevalence of the affected products in the federal enterprise, the high potential for a compromise of agency information systems, the impact of a successful compromise, and the complexity of the proposed mitigations.
Actions Required for CSPs
In consultation with the Joint Authorization Board (JAB) and DHS CISA, FedRAMP emphasizes that Cloud Service Providers (CSPs) who maintain federal information fall within the scope defined by Emergency Directive 24-01. Therefore, we request that you:
- Review and implement the actions described within the Emergency Directive, and
- Upload responses, using the Emergency Directive 24-01 FedRAMP Reporting Template, to the incident response folder in your respective FedRAMP secure repository.
Please upload responses, including identifying applicability or negative applicability, by 11:59 PM Eastern Standard Time on Wednesday, January 24, 2024.
When these actions are complete, we request that you:
- Email all agency customer Authorizing Officials (or ISSO), including JAB POCs (if applicable), with notification of the completed action.
- Email the FedRAMP PMO with notification of the completed action at email@example.com using the following convention for your subject line: (CSP NAME | Package ID) - Response to ED 24-01.
- Upload a copy of your email notifications to the incident response folder in your respective FedRAMP secure repository.
If any indication of compromise or anomalous behavior is found or there is any suspected impact to federal systems, please make sure to follow the FedRAMP Incident Communication Procedures, which includes reporting to CISA US-CERT and agency customers (including JAB POCs, if applicable).
Guidance for Agencies
Federal agency customers can access the CSP responses from the Incident Response folder in the CSP’s respective FedRAMP secure repository. Agencies should reach out directly to the CSP if they have not provided their reporting template response by Thursday, January 25, 2024. If agency personnel need access to a CSP’s repository for review, please submit a FedRAMP Package Access Request Form to firstname.lastname@example.org.