Cybersecurity

DHS orders faster patching from federal agencies

By BeeBright shutterstock ID: 789734968 

The Department of Homeland Security released a new Binding Operational Directive April 29 that cuts down on the time federal agencies have to patch critical IT vulnerabilities in half, from 30 days to 15.

The order compels all civilian federal agencies to regularly review weekly cyber hygiene reports delivered by DHS that identify both critical and high vulnerabilities and patch them within 15 and 30 calendar days of being detected, not when agencies are first informed about them.

According to the directive, CISA is exploring a way to send real-time alerts to agencies when a vulnerability is discovered so they don't have to wait for the weekly hygiene reports to start patching.

If agencies fail to patch within those timeframes, DHS will essentially write a remediation plan for them and begin addressing the problem with top IT officials at the agency.

"CISA will engage Agency CIOs, CISOs, and [Senior Accountable Officials for Risk Management] throughout the escalation process, if necessary," the directive states.

Agencies must also remove Internet Protocol addresses associated with DHS' Cyber Hygiene scoring service and notify CISA of any changes to agency Internet-accessible IP addresses within five days of any change.

The directive supersedes and replaces the first-ever such directive issued in 2015, which set baseline standards for how quickly agencies should move to patch critical vulnerabilities for Internet-accessible federal systems when they're discovered. While officials have cited the order as being responsible for a major drop in response time from agencies (from an average of 150 days to 20), the new directive notes that "recent reports from government and industry partners indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today's adversaries are more skilled, persistent, and able to exploit known vulnerabilities."

At a House Homeland Security Committee hearing the day after the BOD was issued, Krebs said the evolution and maturing of the department's Continuous Diagnostics and Mitigation program has helped lay the groundwork for faster identification and remediation of software, system and network vulnerabilities that the new directive is intended to capture.

"We are able to see what are going on in those agencies in terms of those critical vulnerabilities or those high vulnerabilities," said Krebs. "So we can actually measure now, we have the visibility so we can see and we can take action."

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.