US Department of Homeland Security directive requires federal agencies to fix critical flaws within 15 days
The countdown starts as soon as a critical flaw is detected after weekly 'cyber hygiene' scan
The Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security (DHS) has issued a new binding operational directive (BOD) for federal agencies, ordering them to patch critical security flaws discovered on their internet-accessible systems within 15 days of first detection.
And the countdown to remediate security flaws will start as soon as they are first detected during CISA's weekly cyber hygiene vulnerability scanning.
The order cuts in half the deadline for patching critical flaws from 30 days. Flaws deemed "high" in severity still have a 30 day deadline for fixing.
"The federal government must continue to take deliberate steps to reduce the overall attack surface and minimise the risk of unauthorised access to federal information systems as soon as possible," reads the memo from CISA Director Chris Krebs.
The new BOD 19-02, entitled "Vulnerability Remediation Requirements for Internet-Accessible Systems," is a compulsory order for US government agencies, departments and the executive branch. It aims to protect sensitive information from attackers and replaces BOD 15-01 that was in effect since May 2015.
Under the new directive, federal agencies will be responsible for timely remediation of all vulnerabilities discovered under cyber hygiene scanning. It is intended to ensure that all vulnerabilities are checked and fixed in a timely manner.
If an agency fails to patch a vulnerability within the set timeframe, it must submit a remediation plan to CISA within three working days.
CISA was recently created to provide security reports to federal agencies and departments on cyber hygiene scanning results. In its reports, CISA provides information to other government agencies about detected vulnerabilities, classifying them on the basis of the CVSSv2 score.
US federal agencies don't have a good track record for patching vulnerabilities. Last year, the Government Accountability Office (GAO) inspected 24 agencies and found that remediating security flaws was a weakness for most of them.
According to the GAO, that weakness was the result of not properly applying key elements of information security programmes.
In January, the DHS was also forced to issue 'Emergency Directive 19-01' to foil DNS hijacking attempts earlier detected by researchers at Cisco Talos Group in December 2018.
The emergency directive required federal agencies operating an agency managed or .gov domain to review their servers and DNS records to ensure that they were resolving to the correct IP addresses.
Computing and CRN have united to present the Women in Tech Festival UK 2019, on 17 September in London.
The event will celebrate successful women in the IT industry, enabling attendes to hear about, and to share, personal experiences of professional journeys and challenges.
Whether you're the ‘Next Generation', an ‘Inspirational Leader', or an ‘Innovator of Tech' this event will offer inspiration on not only how to improve yourself, but how to help others too. The event is FREE for qualifying IT pros, but places will go fast