DHS orders faster patching from federal agencies

The Department of Homeland Security released a new Binding Operational Directive April 29 that cuts down on the time federal agencies have to patch critical IT vulnerabilities in half, from 30 days to 15.

The order compels all civilian federal agencies to regularly review weekly cyber hygiene reports delivered by DHS that identify both critical and high vulnerabilities and patch them within 15 and 30 calendar days of being detected, not when agencies are first informed about them.

According to the directive, CISA is exploring a way to send real-time alerts to agencies when a vulnerability is discovered so they don't have to wait for the weekly hygiene reports to start patching.

If agencies fail to patch within those timeframes, DHS will essentially write a remediation plan for them and begin addressing the problem with top IT officials at the agency.

"CISA will engage Agency CIOs, CISOs, and [Senior Accountable Officials for Risk Management] throughout the escalation process, if necessary," the directive states.

Agencies must also remove Internet Protocol addresses associated with DHS' Cyber Hygiene scoring service and notify CISA of any changes to agency Internet-accessible IP addresses within five days of any change.

The directive supersedes and replaces the first-ever such directive issued in 2015, which set baseline standards for how quickly agencies should move to patch critical vulnerabilities for Internet-accessible federal systems when they're discovered. While officials have cited the order as being responsible for a major drop in response time from agencies (from an average of 150 days to 20), the new directive notes that "recent reports from government and industry partners indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today's adversaries are more skilled, persistent, and able to exploit known vulnerabilities."

At a House Homeland Security Committee hearing the day after the BOD was issued, Krebs said the evolution and maturing of the department's Continuous Diagnostics and Mitigation program has helped lay the groundwork for faster identification and remediation of software, system and network vulnerabilities that the new directive is intended to capture.

"We are able to see what are going on in those agencies in terms of those critical vulnerabilities or those high vulnerabilities," said Krebs. "So we can actually measure now, we have the visibility so we can see and we can take action."