In the face of increasing cybersecurity threats, the Department of Homeland Security (DHS) has been proactive in issuing emergency directives to safeguard federal networks. These directives are a response to known or reasonably suspected information security threats, vulnerabilities, or incidents that pose a substantial threat to the information security of an agency.

The Authority Behind the Directives

The authority to issue these directives comes from Section 3553(h) of title 44, U.S. Code. This section authorizes the Secretary of Homeland Security to issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system. This includes systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information. The purpose of these directives is to protect the information system from, or mitigate, an information security threat.

Case Study: Mitigating SolarWinds Orion Code Compromise

One notable example of such a directive is the Emergency Directive 21-01, issued in response to the compromise of SolarWinds Orion products. This directive was issued after it was discovered that SolarWinds Orion products were being exploited by malicious actors. The exploitation of these products posed an unacceptable risk to Federal Civilian Executive Branch agencies and required emergency action.

The directive required agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately. This was the only known mitigation measure available at the time. The directive was based on the current exploitation of affected products, their widespread use to monitor traffic on major federal network systems, the high potential for a compromise of agency information systems, and the grave impact of a successful compromise.