Emergency Directive 21-01: Supplemental Guidance
CISA Advisory
Original Release Date: 12/31/2020
Summary
The Cybersecurity and Infrastructure Security Agency (CISA) has released Supplemental Guidance to Emergency Directive 21-01. This guidance supplements the Emergency Directive (ED) 21-01 and Supplemental Guidance v1 issued on December 18, 2020.
Specifically, all federal agencies operating versions of the SolarWinds Orion platform other than those identified as “affected versions” are required to use at least SolarWinds Orion Platform version 2020.2.1HF2. The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code. Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks must be updated to 2020.2.1 HF2 by COB December 31, 2020. CISA will follow up with additional supplemental guidance, to include further clarifications and hardening requirements.
While the Emergency Directive is aimed at federal agencies, the NJCCIC encourages the broader cyber community to review and consider taking these actions as part of your event management and mitigation.
Reporting
We encourage recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form here.
The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.
View our Privacy Policy here.
View our Site Index here.