The Cybersecurity and Infrastructure Security Agency (CISA) said today it is “encouraged” by quick Federal agency responses to its May 18 emergency directive to patch or unplug several vulnerable VMware products from agency networks, but did not provide any hard figures on whether agencies met CISA’s May 24 deadline to take action.
After finding that a series of vulnerabilities were being exploited in some VMware products, CISA responded last week by issuing Emergency Directive 22-03 which requires Federal agencies to “enumerate and immediately update all affected VMware products.”
CISA also ordered that if those VMware products could not be updated, they needed to be removed from Federal agency networks. And it said that those products that are accessible from the internet should be assumed to be compromised.
“Federal agencies had until May 24 at noon to provide CISA with their status updates,” the agency told MeriTalk in response to inquiries.
“While agency reports are still coming in and being processed, CISA is encouraged by the prompt responses and appreciates the efforts agencies have made to protect the federal enterprise,” a CISA spokesperson said.
CISA said last week that its emergency directive will remain in effect “until CISA determines that all agencies operating affected software have performed all required actions from this Directive or the Directive is terminated through other appropriate action.”
