Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

DHS Orders Agencies to Patch Critical Vulnerabilities Within 15 Days

The U.S. Department of Homeland Security (DHS) this week issued a new Binding Operational Directive (BOD) instructing federal agencies and departments to act more quickly when it comes to patching serious vulnerabilities in internet-exposed systems.

The U.S. Department of Homeland Security (DHS) this week issued a new Binding Operational Directive (BOD) instructing federal agencies and departments to act more quickly when it comes to patching serious vulnerabilities in internet-exposed systems.

Specifically, BOD 19-02 gives government organizations 15 days to address critical vulnerabilities and 30 days for high-severity flaws. The countdown starts when a vulnerability was initially detected, rather than when it was first reported to agencies.

Internet-exposed government systems undergo Cyber Hygiene scanning to help agencies identify vulnerabilities. The recently created Cybersecurity and Infrastructure Security Agency (CISA) provides regular reports to agencies, informing them of the detected flaws, classified based on their CVSSv2 score.

The new BOD 19-02 also instructs the CISA to provide technical expertise and guidance for remediation, and send a monthly report to the Office of Management and Budget (OMB) to identify trends and challenges and facilitate any policy or budget-related actions that may be required.

Agencies that fail to address vulnerabilities within the allocated time frame have been given three days to submit a remediation plan describing the constraints that prevent it from addressing the flaw, mitigations, and an estimated completion date. CISA will provide pre-populated remediation plan templates to ensure that the information can be provided in such a short time.

BOD 19-02 replaces the 2015 BOD 15-01 (Critical Vulnerability Mitigation Requirement for Federal Civilian Executive Branch Departments and Agencies’ Internet-Accessible Systems), which gave government organizations 30 days to patch critical security holes.

“The federal government must continue to enhance our security posture, reduce risks posed by vulnerable Internet-accessible systems, and build upon the success of BOD 15-01 by advancing federal requirements for high and critical vulnerability remediation to further reduce the attack surface and risk to federal agency information systems,” the DHS said.

However, some experts believe 15 days might not be quick enough in some situations.

Advertisement. Scroll to continue reading.

“This is a good initiative, one for which all reputable private sector enterprises already subscribe to via third party scanning services. It wouldn’t surprise me if some government agencies also subscribe to similar services in the private sector as it is definitely a best practice in the industry,” Mounir Hahad, head of Juniper Networks’ Juniper Threat Labs, told SecurityWeek.

However, Hahad added, “I would argue that the directive does not go far enough to call out critical vulnerabilities for which proofs of concept may already be published or for which developing an exploit is trivial. Those indeed have a higher chance of being exploited by threat actors in record time. In my view, 15 days for remediation is too slow in those circumstances.”

Related: DHS Orders Government Agencies to Stop Using Kaspersky Products

Related: Many Federal Agencies Fail to Meet DMARC Implementation Deadline

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...