In recent years, we have seen how hackers prey on those too lazy or ignorant to install security patches, which, if applied on time, would have prevented some devastating cyber attacks and data breaches that happened in major organisations.
The United States Department of Homeland Security (DHS) has ordered government agencies to more swiftly plug the critical security vulnerabilities found on their networks within 15 calendar days since the initial detection, a reduction from 30 days.
DHS’s Cybersecurity and Infrastructure Security Agency (CISA) this week issued a new Binding Operational Directive (BOD) 19-02 instructing federal agencies and departments to address “critical” rated vulnerabilities within 15 days and “high” severity flaws within 30 days of initial detection.
The countdown to patch a security vulnerability will start when it was initially detected during CISA’s weekly Cyber Hygiene vulnerability scanning, rather than it was the first report to the affected agencies.
“As federal agencies continue to expand their Internet presence through increased deployment of Internet-accessible systems, and operate interconnected and complex systems, it is more critical than ever for federal agencies to rapidly remediate vulnerabilities that otherwise could allow malicious actors to compromise federal networks through exploitable, externally-facing systems,” reads the memo from CISA Director Chris Krebs.
“Recent reports from government and industry partners indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today’s adversaries are more skilled, persistent, and able to exploit known vulnerabilities.”
Therefore, to minimize the risk of unauthorized access to any federal information internal system and reduce the overall attack surface, the CISA wants government agencies to review and remediate critical vulnerabilities on Internet-facing systems before hackers and cybercriminals exploit them.
The recently created CISA agency provides regular reports to the federal agencies on Cyber Hygiene scanning results and current status, informing them of the detected vulnerabilities, classified based on their CVSSv2 score.
Agencies who do not complete their remediation within the allotted time period, CISA will send an additional reminder to agencies, asking them to submit the complete remediation plan within three working days to CISA.
BOD 19-02 replaces BOD 15-01—Critical Vulnerability Mitigation Requirement for Federal Civilian Executive Branch Departments and Agencies’ Internet-Accessible Systems (May 21, 2015)—which gave federal agencies 30 days to patch critical vulnerabilities.
This is the second BOD that CISA has released this year. Following a series of DNS hijacking incidents, the agency issued an “emergency directive” earlier this year, ordering federal agencies to audit DNS records for their respective website domains and other agency-managed domains within 10 days.