DHS tightens patching deadlines
- By Derek B. Johnson
- May 01, 2019
Federal agencies have just 15 days to patch critical IT vulnerabilities, according to a new Binding Operational Directive issued by the Department of Homeland Security on April 29.
The order cuts in half the time agencies have to patch vulnerabilities -- from 30 days of being detected to 15. It also compels all civilian agencies to review DHS' weekly cyber hygiene reports that identify both critical and high vulnerabilities and patch them within 15 and 30 calendar days of being detected, not when agencies are first informed about them.
According to the directive, the Cybersecurity and Infrastructure Security Agency is exploring a way to send real-time alerts to agencies when a vulnerability is discovered so they don't have to wait for the weekly hygiene reports to start patching.
Agencies must also unblock IP addresses associated with DHS' Cyber Hygiene scoring service and notify CISA of any changes to agency internet-accessible IP addresses within five days of any change.
If agencies fail to patch within those timeframes, DHS will essentially write a remediation plan for them and begin addressing the problem with top IT officials at the agency. "CISA will engage Agency CIOs, CISOs, and [Senior Accountable Officials for Risk Management] throughout the escalation process, if necessary," the directive states.
The directive supersedes and replaces the first-ever such directive issued in 2015, which set baseline standards for how quickly agencies should patch critical vulnerabilities for internet-accessible systems when they're discovered. While officials have cited the order as being responsible for a major drop in response time from agencies (from an average of 150 days to 20), the new directive notes that "recent reports from government and industry partners indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today's adversaries are more skilled, persistent, and able to exploit known vulnerabilities."
At a House Homeland Security Committee hearing the day after the BOD was issued, CISA Director Christopher Krebs said the evolution and maturing of the department's Continuous Diagnostics and Mitigation program has helped lay the groundwork for faster identification and remediation of software, system and network vulnerabilities that the new directive is intended to capture.
"We are able to see what are going on in those agencies in terms of those critical vulnerabilities or those high vulnerabilities," said Krebs. "So we can actually measure now, we have the visibility so we can see and we can take action."
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at firstname.lastname@example.org, or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.