びびなび : ワシントンDC : (アメリカ合衆国) Washington DC

Security Update: Announcing the launch of the 2025 Q1 CMS Enterprise Security Campaign








CMS Cloud


CMS Hybrid Cloud Launches the 2025 Q1 CMS Enterprise Security Campaign

________________________________________________________________________



Summary: 

Starting today *February 10th, 2025*, the CMS Hybrid Cloud Team will begin the Q1 2025 CMS Enterprise Security Campaign.

Any findings will be tracked via Jira tickets [ https://jiraent.cms.gov/secure/Dashboard.jspa ] and assigned to the respective teams to remediate risks. The Q1 CMS Enterprise Security Campaign is targeting a list of eleven (11) Common Vulnerabilities and Exposures (CVEs) sourced from Cybersecurity & Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog.

On *February 19th, 2025*, new AWS Security Hub GuardRails will be added to *all accounts* to prevent reintroduction of certain findings back into the CMS environment. In addition, Q4 2024 GuardRails that were only applied to Non-Marketplace accounts, in consideration of Open Enrollment, will be added to *Marketplace accounts*.

Benefits

Resolving findings in customers' Jira tickets [ https://jiraent.cms.gov/secure/Dashboard.jspa ] ensures CMS systems remain secure. Participating in proactive, routine security activities, such as this CMS Enterprise Security Campaign, reduces the risk of unauthorized and/or malicious activity.

The CMS Enterprise Security Campaign will target and identify the following CVEs from CISA's KEV catalog:

Targeted Known Exploited Vulnerabilities (KEVs)

*CVEs on KEV List* *Plugin ID* *Description* *Severity* CVE-2024-49129,
CVE-2024-49132,
CVE-2024-49138 212223 KB5048654: Windows Server 2022 / Azure Stack HCI 22H2 Security Update (December 2024) Critical CVE-2024-49128,
CVE-2024-49129,
CVE-2024-49138 212232 KB5048671: Windows 10 Version 1607 / Windows Server 2016 Security Update (December 2024) Critical CVE-2024-49110,
CVE-2024-49111,
CVE-2024-49074 212239 KB5048661: Windows 10 version 1809 / Windows Server 2019 Security Update (December 2024) Critical CVE-2024-23206,
CVE-2024-23213,
CVE-2023-40414 197749 RHEL 8 : webkit2gtk3 (RHSA-2024:2982) Critical CVE-2016-6816,
CVE-2016-8735,
CVE-2016-8735 197848 Apache Tomcat 7.0.0 < 7.0.73 multiple vulnerabilities Critical CVE-2020-14864 171961 Oracle Business Intelligence Enterprise Edition (Oct 2020 CPU) High CVE-2023-44487 183347 Amazon Linux 2023 : nginx, nginx-all-modules, nginx-core (ALAS2023-2023-393) High CVE-2023-44487 183350 Amazon Linux 2023 : libnghttp2, libnghttp2-devel, nghttp2 (ALAS2023-2023-392) High CVE-2024-36979,
CVE-2024-38538,
CVE-2021-47018 205214 RHEL 8 : kernel (RHSA-2024:5101) High CVE-2024-38226 206892 Security Updates for Microsoft Publisher Products (September 2024) High CVE-2024-20399 201218 Cisco NX-OS Software CLI Comm Injection (cisco-sa-nxos-cmd-injection-xD9OhyOP) Medium

"*Note:* "Operating System (OS)-level findings are remediated by the CMS Hybrid Cloud Team for customers who receive regular CMS Gold Image patching services. Please note that CMS customers are responsible for patching any software installed on top of the provided CMS Gold Image.


* For *all accounts*, CMS Hybrid Cloud will deploy auto-remediation for the following Security Hub controls:
* GuardRails / auto-remediations (Security Hub controls):
* Lambda.1 [ https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html#lambda-1 ] - Lambda function policies should prohibit public access
* EC2.1 [ https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-1 ] - Amazon EBS snapshots should not be publicly restorable
* GuardRails were applied to Non-Marketplace in 2024 Q4, GuardRails for Marketplace

* EC2.18 [ https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-18 ] - Security groups should only allow unrestricted incoming traffic for authorized ports
* GuardRails were applied to Non-Marketplace in 2024 Q4, GuardRails for Marketplace

* S3.8 [ https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-8 ] - S3 general purpose buckets should block public access
* GuardRails were applied to Non-Marketplace in 2024 Q4, GuardRails for Marketplace

* RDS.2 [ https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-2 ] - RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration
* GuardRails were applied to Non-Marketplace in 2024 Q4, GuardRails for Marketplace


* CMS customer teams with existing findings for these Security Hub controls will receive a Jira ticket.
* Teams will either need to resolve the finding or obtain an exemption [ https://cloud.cms.gov/exemption-policy-guide-aws-security-hub ].

Expected Actions

* CMS customer teams with findings will receive a Jira ticket [ https://jiraent.cms.gov/secure/Dashboard.jspa ].
* If you would like to obtain an exemption, you will need to complete an attestation [ https://cloud.cms.gov/compliance-attestations ].

* CMS customers should resolve all received Jira tickets as soon as possible.
* For help, please refer to the "Questions or Concerns" section below for instructions on how to submit a Hybrid Cloud Support Ticket [ https://jiraent.cms.gov/plugins/servlet/desk/portal/22 ].

* Failure to resolve findings can lead to compromised systems that result in greater risks for unauthorized and/or malicious activity.
* Unresolved system flaws will result in Plan of Action and Milestones (POA&Ms) being issued against the Federal Information Security Modernization Act (FISMA) boundary.

Timeline

* *February 10th, 2025**:* CMS Customers with findings will receive Jira tickets [ https://jiraent.cms.gov/secure/Dashboard.jspa ] for the finding noted in the "Benefits" section above.
* *February 19th, 2025: *CMS Hybrid Cloud will add new AWS Security Hub GuardRails to *all accounts *to protect CMS systems from reintroducing findings back into the environment.

Additional Information

* Learn about Security Hub Campaigns [ https://cloud.cms.gov/cms-cloud-security-campaigns ]
* Exemption Policy Guide [ https://cloud.cms.gov/exemption-policy-guide-aws-security-hub ]

Questions or Concerns

We look forward to helping you and your team. Reach out to your IUSG Hosting Coordinator with any questions. 

For further help, please fill out a Hybrid Cloud Support ticket [ https://jiraent.cms.gov/plugins/servlet/desk/portal/22 ] specifying *Service *as "Security Hub" and *Request* as "Security Hub Findings".



Office of Information Technology




You are subscribed to receive email messages about CMS Cloud Operations, Changes, and Outages from the Centers for Medicare & Medicaid Services (CMS).

To update your subscription(s), preferences or to stop receiving messages from the CMS Cloud Operations, Changes, and Outages Updates- distribution list, please go to our Subscriber Preferences Page [ https://public.govdelivery.com/accounts/USCMS/subscriber/new?category_id=USCMS_C176 ].

________________________________________________________________________

This email was sent to mshinji3056@gmail.com using GovDelivery Communications Cloud 7500 Security Boulevard · Baltimore MD 21244


body .abe-column-block { min-height: 5px; } table.gd_combo_table img {margin-left:10px; margin-right:10px;} table.gd_combo_table div.govd_image_display img, table.gd_combo_table td.gd_combo_image_cell img {margin-left:0px; margin-right:0px;} table.govd_hr {min-width: 100%;}