Supplemental Direction v1 - CISA Emergency Directive 24-01
February 1 | 2024
On Wednesday, January 31, 2024, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued Supplemental Direction v1: Emergency Directive 24-01, “Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities” (the Supplemental Direction). The Supplemental Direction states:
This Supplemental Direction supersedes required action 4 in Emergency Directive (ED) 24-01 Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities and applies to any Federal agency running affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions).
Actions Required For Cloud Service Providers
In consultation with the Joint Authorization Board (JAB) and DHS CISA, FedRAMP emphasizes that Cloud Service Providers (CSPs) who maintain federal information fall within the scope defined by Emergency Directive 24-01.
If Emergency Directive 24-01 is not applicable, and you have already responded identifying the negative applicability, no further action is required.
If Emergency Directive 24-01 is applicable, we request that you:
- Review and implement the actions described within the Supplemental Direction v1, and
- Upload responses, using an updated Emergency Directive 24-01 FedRAMP Reporting Template, to the incident response folder in your respective FedRAMP secure repository.
- Please upload responses for required task 2e in the Supplemental Direction v1 by 1:00PM EST on Monday, February 5, 2024.
- Please upload responses for required task 3 in the Supplemental Direction v1 by 11:59PM EST on Wednesday, February 28, 2024.
After completing each individual action, we request that CSPs:
- Email all agency customer Authorizing Officials (or ISSOs), including JAB POCs (if applicable), with notification of the completed action.
- Email the FedRAMP PMO with notification of the completed action at info@fedramp.gov using the following convention for your subject line: (CSP NAME | Package ID) - Response to ED 24-01.
- Upload a copy of your email notifications to the incident response folder in your respective FedRAMP secure repository.
If any indication of compromise or anomalous behavior is found, or there is any suspected impact to federal systems, please make sure to follow the FedRAMP Incident Communication Procedures, which includes reporting to CISA US-CERT and agency customers (including JAB POCs, if applicable).
If you have any questions, please reach out to info@fedramp.gov and CyberDirectives@HQ.dhs.gov.
Guidance for Agencies
Federal agency customers can access the CSP responses from the Incident Response folder in the CSP’s respective FedRAMP secure repository. If ED 24-01 is applicable to a CSP that has not provided updated reporting template responses by the dates required above, agencies should reach out directly to the CSP If agency personnel need access to a CSP’s repository for review, please submit a FedRAMP Package Access Request Form to package-access@fedramp.gov.
References
- https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities
- https://www.cisa.gov/news-events/directives/supplemental-direction-v1-ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure
- https://nvd.nist.gov/vuln/detail/CVE-2023-46805
- https://nvd.nist.gov/vuln/detail/CVE-2024-21887
