Federal Cybersecurity Directive Spotlights Aging Computer Systems

Under the Federal Information Security Management Act, enacted in 2002, federal agencies are already required to meet a set of information-security standards, said Daniel Castro, vice president of the Information Technology and Innovation Foundation, a Washington, D.C., think tank.

“It’s a bit shocking that this is even a directive,” Mr. Castro said about Wednesday’s announcement. “It’s literally telling the federal government’s cybersecurity staff that they should patch IT systems with known vulnerabilities,” he said. “Of course they should.”