DHS Order Requires Agencies to More Quickly Patch Critical IT Vulnerabilities
A new Department of Homeland Security directive that requires federal agencies to fix critical-level vulnerabilities on internet-accessible systems in 15 days seems to be accomplishing the goal so far, says a key DHS official.
This spring, the Cybersecurity and Infrastructure Security Agency issued Binding Operational Directive 19-02 (BOD 19-02), under which federal agencies must regularly review weekly reports of flaws detected on internet-accessible systems compiled by CISA, based on results from its cyber hygiene scanning service.
The directive applies to internet-accessible systems directly managed by an agency, as well as those operated on an agency’s behalf; in addition to the 15-day window for critical vulnerabilities, it requires that high vulnerabilities be corrected in 30 days.
“Since CISA began sharing the new BOD requirements with agencies in March, the average time to remediate closed vulnerabilities for both critical and high vulnerabilities has decreased and surpassed the BOD requirements,” says Matthew Hartman, CISA’s acting director of federal network resilience.
With Dwell Time Down, Vulnerabilities Must Be Fixed Fast
The clock starts, however, when the vulnerability is detected, not when the agency receives the report. Since the current average dwell time for intruders is about four hours and 37 minutes, according to a report from CrowdStrike, CISA is exploring ways to alert agencies to a vulnerability in real time. For now, agencies will have to wait for weekly reports to begin their patching processes.
The original BOD on critical vulnerability mitigation, issued in 2015, allowed agencies more time to remediate vulnerabilities. “When DHS first issued BOD 15-01 to establish enterprisewide expectations for the timely mitigation of vulnerabilities, there were hundreds of critical vulnerabilities yet to be patched,” Hartman says.
“These days, we often report only a handful of critical vulnerabilities over the required remediation time frames, and those are frequently patched within days,” he adds. “This success story has allowed us to focus on broadening the scope, reducing the attack surface and continuing to establish the federal government as a cybersecurity leader across sectors.”
Prior to BOD 19-02, Hartman says, CISA noted that many agencies were already frequently addressing critical and high vulnerabilities within the new time frames based on the agencies' own internal policies.
“Many agencies have significantly improved their internal patch management procedures, and most have reported that their agency policies for remediating critical vulnerabilities require an even faster timeline,” Hartman says. “That was a good indication that agencies had the people, process and technology necessary to advance the governmentwide requirement.
“The increased focus on these vulnerabilities by DHS and OMB would likely provide the additional support agencies need to overcome common challenges and lingering constraints that often relate to limited budgets, skilled resources, and outdated legacy IT,” he says.
Mounir Hahad, head of Juniper Networks’ Juniper Threat Labs, praised the government directive. “This is a good initiative, one for which all reputable private-sector enterprises already subscribe to via third-party scanning services,” he told Security Week. “It wouldn’t surprise me if some government agencies also subscribe to similar services in the private sector, as it is definitely a best practice in the industry.”
Agencies May Get Extra Time to Fix Vulnerabilities
While CISA anticipates that most agencies with mature vulnerability management programs will be able to easily adapt to the new requirements, the process may be more difficult for others.
Reports from the General Accounting Office and from various inspectors general offices have found data and network insecurity at several agencies, and that some agencies have failed to remedy cybersecurity flaws that could potentially expose data to hackers.
Under BOD 19-02, should an agency fail to properly address vulnerabilities within the established time frame, CISA will contact that agency, which will have three business days to explain the delay and provide a timeline for when a fix can be expected using templates provided by CISA.
“CISA is willing to work with agencies on a case-by-case basis when remediation is not feasible within established time frames,” Hartman says.
While CISA’s weekly cyber hygiene reports will be central to agencies’ vulnerability management strategies, Hartman advises agencies to augment those reports with additional measures to further strengthen cybersecurity.
Those measures could include scanning capabilities such as those provided by DHS’ Continuous Diagnostics and Mitigation program “to enhance detection, facilitate information sharing and gain more real-time insight,” he says.
“Remediating vulnerabilities and managing risk is more challenging than modifying policies and required time frames,” he adds. “We also expect agencies to use BOD 19-02 as a way to communicate more agency-specific expectations across their enterprise. This can help CISOs better manage the remediation actions and make better risk decisions about how to overcome challenges.”
This communication, Hartman says, should prove as valuable to agencies as the information from the cyber hygiene report itself.
“BOD 19-02 helps us reduce the attack surface of our federal networks not only by ensuring individual agencies are patching systems faster,” he says, “but by gaining greater insights into cross-agency challenges, creating and sharing solutions, and involving the right groups to solve problems that are best addressed as a community working toward a common goal.”
