CISA Emergency Directives

Table of Contents

The Cybersecurity and Infrastructure Security Agency (CISA) periodically issues “Emergency Directives,” which require action by cloud.gov, as a FedRAMP-authorized service.

In response to CISA Emergency Directives, cloud.gov will:

• provide required applicability information in our FedRAMP secure repository: https://community.max.gov/x/mjypgg
• provide status updates via our support channel to any authorized customer that requests it.
• notify agency authorizing officials, customers, and community of the applicability update via our public status service: https://cloudgov.statuspage.io.
  • (posted as a “Resolved Incident” that impacts “cloud.gov compliance notification” (operational), with “Send Notification”)

We will no longer be publicly providing our specific compliance status, as future directives could apply to components in the cloud.gov system.

FY2022

CISA Emergency Directive 22-03, “Mitigate VMware Vulnerabilities.”

In response to CISA Emergency Directive 22-03, “Mitigate VMware Vulnerabilities” (https://www.cisa.gov/emergency-directive-22-03) cloud.gov has provided required applicability information in our FedRAMP secure repository: https://community.max.gov/x/mjypgg. Customers can use the FedRAMP repository, or open a cloud.gov support request.

CISA Emergency Directive 22-02, “Mitigate log4j Vulnerability”

Please see our page, Log4J Vulnerability / ED 22-02 Update.

FY2021

CISA Emergency Directive 21-04: Windows Print Spooler

In response to CISA Emergency Directive 21-04, “Mitigate Windows Print Spooler Service Vulnerability” (https://cyber.dhs.gov/ed/21-04/), cloud.gov has provided required applicability information in our FedRAMP secure repository: https://community.max.gov/x/mjypgg

We do not publicly provide specific directive compliance status. Authorized customers can access our FedRAMP package as described at https://cloud.gov/docs/overview/fedramp-tracker/#start-the-ato-process

CISA Emergency Directive 21-03 for Pulse Connect Secure: Not impacted

Cloud.gov has NO instances of Pulse Connect Secure

On April 20, 2021, the DHS Cybersecurity and Infrastructure Security Agency (CISA) published Emergency Directive 21-03: “Mitigate Pulse Connect Secure Product Vulnerabilities” (https://cyber.dhs.gov/ed/21-03/)

Status: The cloud.gov system has no instances of Pulse Connect Secure. We are fully compliant with ED-21-03.

CISA Emergency Directive 21-02 for Microsoft Exchange: Not impacted

cloud.gov has NO instances of Microsoft Exchange on-premises.

On March 3, 2021, the DHS Cybersecurity and Infrastructure Security Agency (CISA) published Emergency Directive 21-02: “Mitigate Microsoft Exchange On-Premises Product Vulnerabilities” (https://cyber.dhs.gov/ed/21-02/)

Status: The cloud.gov system has no instances of Microsoft Exchange on-premises. We are fully compliant with ED-21-02.

CISA Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise: Not impacted

On December 13, 2020, the DHS Cybersecurity and Infrastructure Security Agency (CISA) published Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise”.

We want to assure cloud.gov customers that the SolarWinds Orion code compromise is not applicable to cloud.gov. There are no SolarWinds components in the cloud.gov system.

FY2020

CISA Directive 20-04 for Netlogon Elevation of Privilege: cloud.gov is fully compliant

On September 18, 2020, the DHS Cybersecurity and Infrastructure Security Agency (CISA) published Emergency Directive 20-04, Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday.

The FedRAMP PMO requested that cloud.gov (and all CSPs) notify agency customers on our compliance status with the directive, which is that cloud.gov has zero systems impacted by this vulnerability.

CISA Directive 20-03 for Windows DNS: cloud.gov is fully compliant

On July 16, 2020, the DHS Cybersecurity and Infrastructure Security Agency (CISA) published Emergency Directive 20-03, Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday.

The FedRAMP PMO requested that cloud.gov (and all CSPs) notify agency customers on our compliance status with the directive, which is that cloud.gov has zero systems impacted by this vulnerability.

CISA Directive 20-02: Mitigate Windows Vulnerabilities

On January 15, 2020, the FedRAMP program office directed all authorized cloud service providers to comply with Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Emergency Directive 20-02, Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday

cloud.gov confirms that it has zero affected endpoints in the FedRAMP authorized boundary, and hence has 100% patch compliance.

Further, cloud.gov has zero affected endpoints under our management outside the boundary, e.g. in development or test environments.

We want to assure cloud.gov agency customers that their systems, and our product, have no exposure to this particular vulnerability.