The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued binding operative directive (BOD) 19-02, Vulnerability Remediation Requirements for Internet-Accessible Systems, which requires federal agencies to remediate critical security vulnerabilities within 15 days from the initial detection.
CISA explained, "A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.”
This new directive supersedes BOD 15-01, which required federal agencies to review and remediate any critical vulnerabilities on internet-facing systems identified by the National Cybersecurity and Communications Integration Center (NCCIC) within 30 days of receiving the weekly Cyber Hygiene report, according to the April 29 CISA post.
Per the directive, CISA will continue to provide all federal agencies with Cyber Hygiene reports, which agencies must review. Critical vulnerabilities must then be remediated within 15 calendar days of initial detection, while those categorized as high vulnerability must be remediated within 30 days of initial detection.
“If vulnerabilities are not remediated within the specified timeframes, CISA will send a partially populated remediation plan identifying all overdue, in-scope vulnerabilities to the agency POCs for validation and population. Agencies shall return the completed remediation plan within three working days of receipt,” the agency wrote.
“This is a good initiative, one for which all reputable private sector enterprises already subscribe to via third-party scanning services. It wouldn’t surprise me if some government agencies also subscribe to similar services in the private sector as it is definitely a best practice in the industry,” said Mounir Hahad, head of Juniper Networks' Juniper Threat Labs.
“I would argue that the directive does not go far enough to call out critical vulnerabilities for which proofs of concept may already be published or for which developing an exploit is trivial. Those indeed have a higher chance of being exploited by threat actors in record time. In my view, 15 days for remediation is too slow in those circumstances.”