DHS gives agencies 15-day deadline to patch security flaws
The US Department of Homeland Security (DHS) has issued today a binding operational directive that puts a tight deadline on US government agencies during which they must patch security flaws discovered in Internet-accessible systems.
According to BOD 19-02, published today, US agencies have 15 calendar days to fix a security flaw rated “critical” and a 30-day deadline for vulnerabilities with a “high” severity rating.
The countdown clock to fix any flaws starts ticking the moment the DHS’ Cyber Hygiene vulnerability scanning system detects a security flaw during routine scans.
When this happens, the Cyber Hygiene will issue an alert to the affected government agency’s IT team, who will have to fix these flaws or face administrative penalties.
If vulnerabilities are not remediated within the specified timeframe, the DHS will send an additional reminder to agencies.
Agencies can reply to these reminders with reasons on why they failed to update, the intermediary mitigations they deployed, and provide an estimation of when they plan to patch vulnerable systems.
The DHS doesn’t expect that all security flaws will be fixed in time, or even patched, as is known that some systems have stopped receiving security updates.
The DHS will evaluate and rank vulnerabilities based on the CVSSv2 severity ranking, an older system, different from the more commonly used CVSSv3 scale, which means that severity ratings for any identified vulnerabilities will greatly differ from what most cyber-security experts consider “high” and “critical” today.
Prior to today’s directive, the DHS required that agencies fix “critical” flaws within 30 days, and did not give government agencies any deadline for fixing vulnerabilities rated as “high.”
BOD 19-02 was issued today by the DHS’ new cyber-security division –the Cybersecurity and Infrastructure Security Agency.
This is the second binding operational directive that CISA has issued this year. The agency previously issued a directive that contained guidance on how US government agencies could secure their Internet domains against a wave of DNS hijacking incidents perpetrated by Iranian threat actors.