Supplemental Direction v2 - CISA Emergency Directive 24-01

February 12 | 2024

Actions Required For Cloud Service Providers

In consultation with the Joint Authorization Board (JAB) and DHS CISA, FedRAMP emphasizes that Cloud Service Providers (CSPs) who maintain federal information fall within the scope defined by Emergency Directive 24-01.

If Emergency Directive 24-01 is not applicable, and you have already responded identifying the negative applicability, no further action is required.

On Friday, February 9, 2024, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued Supplemental Direction v2: Emergency Directive 24-01, “Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities” (the Supplemental Direction). The Supplemental Direction states:

This Supplemental Direction supersedes Supplemental Direction V1: Emergency Directive (ED) 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities issued on January 31, 2024. This version also supersedes Required Action 4 of ED 24-01. All other provisions of ED 24-01 remain in effect. This Supplemental Direction applies to any federal agency running affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions).

On February 8, 2024, Ivanti reported a new vulnerability (CVE-2024-22024) affecting a limited number of supported Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.5R2.2) and Ivanti Policy Secure (version 22.5R1.1) solutions. This newly disclosed vulnerability enables an attacker to access restricted resources without authentication. On February 8, 2024, Ivanti released new security updates that replace the previous updates released on January 31, 2024, and February 1, 2024, and, additionally, address CVE-2024-22024. This Supplemental Direction V2 adds a requirement for agencies running those software versions to apply appropriate security updates.

If Emergency Directive 24-01 is applicable, we request that you:

Review and implement the actions described within the Supplemental Direction v2, and
Upload responses, using an updated Emergency Directive 24-01 FedRAMP Reporting Template, to the incident response folder in your respective FedRAMP secure repository.
- Please upload updated responses in the Supplemental Direction v2 by 1:00PM EST on Wednesday, February 14, 2024.
- Please upload responses for Requirement 5 in the Supplemental Direction v2 by 11:59PM EST on Wednesday, February 28, 2024.

After completing each individual action, we request that CSPs:

Email all agency customer Authorizing Officials (or ISSOs), including JAB POCs (if applicable), with notification of the completed action.
Email the FedRAMP PMO with notification of the completed action at info@fedramp.gov using the following convention for your subject line: (CSP NAME | Package ID) - Response to ED 24-01.
Upload a copy of your email notifications to the incident response folder in your respective FedRAMP secure repository.

If any indication of compromise or anomalous behavior is found, or there is any suspected impact to federal systems, please make sure to follow the FedRAMP Incident Communication Procedures, which includes reporting to CISA US-CERT and agency customers (including JAB POCs, if applicable).

If you have any questions, please reach out to info@fedramp.gov and CyberDirectives@HQ.dhs.gov.

Guidance for Agencies

Federal agency customers can access the CSP responses from the Incident Response folder in the CSP’s respective FedRAMP secure repository. If ED 24-01 is applicable to a CSP that has not provided updated reporting template responses by the dates required above, agencies should reach out directly to the CSP If agency personnel need access to a CSP’s repository for review, please submit a FedRAMP Package Access Request Form to package-access@fedramp.gov.

References

Back to Blogs