US Government halves deadline for applying critical patches to 15 days

US federal agencies must fix their security bugs more quickly under new rules issued by the Department of Homeland Security (DHS) this week. The rules also expand the scope of bugs that agencies must pay attention to.

The Cybersecurity and Infrastructure Security Agency (CISA), which is a branch of the DHS dealing with cybersecurity, issued the rules in the form of a new Binding Operational Directive (BOD) this week. BODs are rules that federal agencies must follow. Called BOD 19-02, it tightens requirements for federal agencies to fix the vulnerabilities that the DHS finds.

The DHS regularly scans federal agency systems to try and find vulnerabilities. Called the Cyber Hygiene scan, this practice generates a weekly report that the DHS sends to agencies.

The new directive supersedes BOD 15-01, which forced federal agencies to review and remediate critical vulnerabilities on internet-facing systems within 30 days of their weekly Cyber Hygiene report. BOD 15-01 led to a “substantial decrease” in the number of critical vulnerabilities over 30 calendar days, according to the DHS.

BOD 19-02 ups the ante. It forces agencies to remediate critical vulnerabilities within 15 calendar days of detection. They must also now fix high vulnerabilities within 30 calendar days. CISA measures vulnerabilities according to the National Institute of Standards and Technology’s Common Vulnerability Scoring System (CVSS).

CISA outlined the reason for the move in an announcement detailing its plans:

Recent reports from government and industry partners indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today’s adversaries are more skilled, persistent, and able to exploit known vulnerabilities.

If agencies don’t fix the bugs by the deadlines, the CISA will send a skeleton remediation plan listing the vulnerabilities to fix, which the agency in question must fill out and return within three working days. It will also engage senior officials at the agency such as the CISO and CIO, and will keep tracking the vulnerabilities with each Cyber Hygiene scan.

Agencies can also expect their performance to show up on the Federal Cyber Exposure Scorecard (FCES) which in March began showing high vulnerability counts in addition to critical ones. The CISA will report monthly to the Office Of Management And Budget (OMB) to identify and target repeat offenders, facilitating “attentional policy and/or budget-related actions and remedies”.

The missive is the second BOD from CISA this year. It issued the first, BOD 19-01, in January. It directly addressed news of DNS hijacking attacks, forcing agencies to audit their DNS records, change DNS account access passwords, and instigate multi-factor authentication.