US government agencies now have just 15 days to patch critical security flaws

The US Cybersecurity and Infrastructure Agency (CISA) – part of the Department of Homeland Security (DHS) – has halved the time limit for government agencies to fix critical vulnerabilities.

The new binding operational directive BOD 19-02 gives departments just 15 calendar days from detection to repair critical vulnerabilities on internet-facing systems, with a 30-day deadline for high severity issues.

CISA’s definition of a ‘critical’ or ‘high’ vulnerability is based on the widely used CVSS scoring system.

The clock starts ticking from the point that the DHS’ Cyber Hygiene automatic scanning system detects a flaw.

“Recent reports from government and industry partners indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today’s adversaries are more skilled, persistent, and able to exploit known vulnerabilities,” says CISA.

“The federal government must continue to take deliberate steps to reduce the overall attack surface and minimize the risk of unauthorized access to federal information systems as soon as possible.”

If agencies start to miss deadlines, CISA will give them a partial remediation plan and expect all security gaps to be plugged within three days.

But CISA does accept that some deadlines will be missed, as some systems no longer receive security updates.

Closing the window

According to the head of CISA, Chris Krebs, federal agencies once took an average of 149 days to patch critical vulnerabilities, but are now managing it in 20.

“What we’re finding is a great deal of success in improving cybersecurity posture, through just understanding what the risk environment is,” he says.

Later this month, CISA is planning to release a report identifying crucial functions in critical infrastructures where a breach could impact multiple sectors simultaneously.

It is also set to provide assistance to individual states to deal with election interference – Krebs has said he plans to ask Congress for more funds to deal with this.

“The federal government must continue to enhance our security posture, reduce risks posed by vulnerable internet-accessible systems, and build upon the success of BOD 15-01 by advancing federal requirements for high and critical vulnerability remediation to further reduce the attack surface and risk to federal agency information systems,” says CISA.