Federal civilian agencies are not patching vulnerable Cisco devices sufficiently to protect themselves from an active hacking campaign, the Cybersecurity and Infrastructure Security Agency warned.