The Department of Homeland Security wants agencies to move even faster to repair system vulnerabilities.
The 2015 requirement to fix critical system vulnerabilities in 30 days is now cut in half, and agencies must fix “high” vulnerabilities in 30 days. DHS issued a new binding operational directive Monday setting the new deadlines for vulnerabilities identified through cyber hygiene scanning.
“The federal government must continue to enhance our security posture, reduce risks posed by vulnerable Internet-accessible systems, and build upon the success of BOD 15-01 by advancing federal requirements for high and critical vulnerability remediation to further reduce the attack surface and risk to federal agency information systems,” wrote Chris Krebs, the director of the Cybersecurity and Infrastructure Security Agency. “Agencies are responsible for managing risk to their networks, and should remediate vulnerabilities to critical systems as quickly as possible. The 15 day and 30 day requirements in the BOD are the latest agencies should remediate all critical and high vulnerabilities to Internet-accessible devices.”
The new directive replaces the one from 2015 that set up a 30 day deadline to fix critical vulnerabilities and came in the aftermath of the Office of Personnel Management data breach. The 2015 directive didn’t require agencies to address high vulnerabilities.
“BOD 19-02 starts tracking vulnerabilities from the point of initial detection, rather than the date of first report to agencies,” the directive states. “Empirical evidence from government and industry continues to demonstrate the need to remediate significant vulnerabilities closer to the time of detection. CISA encourages agencies to use internal scanning capabilities to detect vulnerabilities prior to the delivery of weekly Cyber Hygiene reports. CISA is exploring the sending of alerts to agencies as vulnerabilities are discovered to help bridge the gap between detection and notification.”
DHS says if agencies do not remediate vulnerabilities in the specified timeframes, CISA will “send a partially populated remediation plan identifying all overdue, in-scope vulnerabilities to the agency point of contact for validation and population. Agencies shall return the completed remediation plan within three working days of receipt…”
DHS wants agencies to tell them any remediation constraints, what interim steps they are taking to overcome those constraints and estimated completion date to address the cyber problem.
DHS says they will hold agencies accountable, in part, through the Federal Cyber Exposure Scorecard (FCES), which is sent to agency leadership and started showing high vulnerability counts, in addition to the critical vulnerability counts, in March.
“CISA recommends configuring patch management and vulnerability management programs to exceed BOD 19-02 requirements and to prioritize certain vulnerabilities and devices over others as part of normal security operations,” DHS states. “CISA expects agencies to begin formulating remediation strategies well in advance of the 15 and 30 day deadlines, to accelerate remediation of vulnerabilities and allow easy integration of remediation information into plans for submittal to CISA once baselines are surpassed. CISA is compensating for the short turn-around time by providing a mostly pre-populated remediation plan for agency personnel to complete. Agencies only need to complete the data fields for mitigation steps, constraints and estimated completion dates. This will ensure agencies are reporting the correct vulnerabilities within remediation plans, especially prior to changes introduced by the next week’s Cyber Hygiene reports.”