The U.S. Department of Homeland Security has issued a binding operational directive (BOD) which requires all federal agencies to correct critical vulnerabilities in Internet-accessible systems within 15 days of detection, and high severity vulnerabilities within 30 days of detection.
Federal agencies are increasingly deploying Internet-accessible systems which are interconnected with complex IT systems. Vulnerabilities in those Internet-accessible systems could be exploited by threat actors to gain access to the internal networks of federal agencies. DHS explained that the average time taken by threat actors to exploit a vulnerability after it has been discovered is decreasing. It is therefore critical for serious vulnerabilities to be corrected in the shortest possible time frame.
Internet-accessible systems used by federal agencies are subjected to Cyber Hygiene scans and the Cybersecurity and Infrastructure Security Agency (CISA) issues reports to those agencies on the results, including details of identified vulnerabilities and their CVSS scores.
In 2015, DHS issued Binding Operational Directive 15-01 – Critical Vulnerability Mitigation Requirement for Federal Civilian Executive Branch Departments and Agencies’ Internet-Accessible Systems – which required all critical vulnerabilities to be addressed within 30 days of discovery. BOD 19-02 cuts the maximum time in half to further enhance the security posture of federal agencies.
BOD 02 sets the maximum timescale and the minimum necessary requirements with respect to addressing vulnerabilities. Federal agencies are responsible for the management of security risks within their own environments and are being urged to ensure that their vulnerability and patch management programs exceed the requirements of BOD 19-02. For instance, if a vulnerability is discovered for which an exploit is available and is being actively exploited in the wild, it is important for the flaw to be mitigated rapidly, and far more rapidly than 15 days.
If a vulnerability cannot be addressed within the new maximum time frame, CISA must be notified within three days and must be provided with a report of the problems faced, the mitigations put in place, and an expected completion date.
BOD 19-02 instructs CISA to offer technical assistance to help federal agencies correct cybersecurity vulnerabilities and will report to the Office of Management and Budget (AMB) on challenges faced by government agencies to facilitate policy and budget related actions. CISA will track the remediation of critical and high-severity vulnerabilities through Cyber Hygiene scans and will validate compliance with BOD 19-02.