The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Wednesday in response to a “significant cyber threat” targeting federal networks through certain devices and software made by the technology company F5.
The directive orders all Federal Civilian Executive Branch (FCEB) agencies to apply the latest vendor-provided update for at-risk F5 virtual and physical devices and downloaded software – including F5OS, BIG-IP TMOS, BIG-IQ, and BNK / CNF – by Oct. 22. Agencies must also follow the instructions in F5’s Quarterly Security Notification.
“Despite the government shutdown and the lapse of the Cybersecurity Information Sharing Act of 2015, CISA remains steadfast in its commitment to protect our federal networks from nation-state adversaries,” said Madhu Gottumukkala, acting director of CISA, in a press release.
“The alarming ease with which these vulnerabilities can be exploited by malicious actors demands immediate and decisive action from all federal agencies,” Gottumukkala added. “These same risks extend to any organization using this technology, potentially leading to a catastrophic compromise of critical information systems. We emphatically urge all entities to implement the actions outlined in this Emergency Directive without delay.”
The directive follows F5’s disclosure that a threat actor has had long-term persistent access to and exfiltrated files from the company’s BIG-IP product development environment and engineering knowledge management platforms.
During a media briefing on Wednesday, Nick Andersen, CISA’s executive assistant director for cybersecurity, told reporters that CISA is not making public attribution at this time to either the country or specific entities that may be responsible.
Andersen said that “there are thousands of instances of F5 product types” within FCEB agencies. However, he noted that the emergency directive is meant to help the agency better understand the scope and “any potential compromises.”
At this time, Andersen said CISA is “not aware of any potential data compromise out there within the FCEB.”
Notably, Andersen confirmed that staff impacted by the layoffs on Friday “does not include people who would be working on this directive.”
“This is really part of getting CISA back on mission. So, while yes, this may be the third emergency directive that has been issued since the beginning of the Trump administration, this is the core operational mission for CISA,” Andersen said. “We’re able to continue to perform that mission in collaboration with our FCEB partners right now.”