It has been reported that the U.S. Department of Homeland Security (DHS) this week issued a new Binding Operational Directive (BOD) instructing federal agencies and departments to act more quickly when it comes to patching serious vulnerabilities in internet-exposed systems. Specifically, BOD 19-02 gives government organisations 15 days to address critical vulnerabilities and 30 days for high-severity flaws. The countdown starts when a vulnerability was initially detected, rather than when it was first reported to agencies. Internet-exposed government systems undergo Cyber Hygiene scanning to help agencies identify vulnerabilities.
James Hayes, Vice President of Global Government Affairs at Tenable:
“Earlier this week the U.S. Department of Homeland Security (DHS) issued binding operational directive 19-02, requiring federal agencies to repair mission critical flaws within 15 days rather than 30 days. DHS should be commended for raising the bar on mitigation timelines, a critical step to securing federal networks and closing the Cyber Exposure gap. However, with a shorter window for fixing critical vulnerabilities, it is that much more important to be able to discern which vulnerabilities must be addressed immediately. What is deemed a high or critical vulnerability under CVSS is not necessarily the most important to an individual organisation. For that reason, it is imperative that the agency moves beyond CVSS on its own and look at ways to prioritise based on additional key factors. DHS and all federal agencies have a responsibility to continually re-evaluate their toolboxes to ensure they utilise their resources in the best possible way to secure government networks and information.”