DHS: Federal Agencies Need to Patch Vulnerabilities FasterDirective: 'Critical' Vulnerabilities Must Be Patched Within 15 Days
The U.S. Department of Homeland Security is requiring that federal agencies speed up patching and remediating "critical" and "high" software vulnerabilities.
Under a new directive, Binding Operational Directive (BOD) 19-02, released this week, federal agencies' IT departments must patch software vulnerabilities deemed critical within 15 calendar days and fix vulnerabilities considered high within 30 days, DHS announced Wednesday. Under previous rules established in 2015, critical vulnerabilities needed remediation within 30 days, and there were no specific guidelines for those vulnerabilities deemed high.
The goal of the directive is to ensure that federal agencies are addressing vulnerabilities in a more pressing manner, especially as the time between the discovery of a vulnerability and the ability of malicious actors to exploit that flaw shrinks, according to the DHS directive.
"It is more critical than ever for federal agencies to rapidly remediate vulnerabilities that otherwise could allow malicious actors to compromise federal networks through exploitable, externally facing systems," the new directive states.
All federal agencies are required to comply with DHS-issued directives, except for certain systems operated by the Department of Defense or certain intelligence agencies.
The updated rules on patching vulnerabilities were published by the Cybersecurity and Infrastructure Security Agency, a new division within DHS established at the end of 2018 to help secure the nation's critical infrastructure from physical as well as cyber threats.
Many security experts say this directive is long overdue within the federal government, which has been slow to address vulnerabilities as agencies move older platforms to the cloud or update older, manual processes with digital ones.
Still, some warn that speeding up the patching of critical and high vulnerabilities is not enough to secure the federal infrastructure.
"This is a useful step forward provided that it is appropriately resourced and funded," says Steve Durbin, the managing director of the Information Security Forum, a not-for-profit cybersecurity and risk management organization. "We also need to bear in mind that compliance is not necessarily a reflection of a robust and resilient cybersecurity strategy, which should be the goal for all organizations."
As a result of the new directive, federal agencies' IT departments must start reacting immediately once the DHS' Cyber Hygiene vulnerability scanning system detects a flaw within software used by an agency. The scanning software will first send an alert to the affected agency and its IT department, and if the security team does not react within a certain time frame, the system will send an updated warning.
"Empirical evidence from government and industry continues to demonstrate the need to remediate significant vulnerabilities closer to the time of detection," according to the new directive.
If the warnings go unanswered, the department's CIO or CISO could face an administrative penalty, the directive states.
If a federal agency cannot complete the patching within either the required time periods, the security teams must alert DHS to explain why patches can't be applied and what the agency plans to do to mitigate the issues in the meantime, the directive spells out. The agency also must offer an estimated date for when the patching will be completed.
Some security experts contend the new patching deadlines in the directive aren't strict enough for critical government agencies.
"Taking 15 to 30 days to react to a vulnerability is taking too long," says Fausto Oliveira, the principal security architect at Acceptto, a security vendor. "Instead, the agencies should have two to five days to implement a temporary remedial plan depending on severity and 15 to 30 days to implement a definitive plan to address the vulnerability. Even two to five days is centuries of computer time that the threat actors have to find the vulnerability and leverage it."
But other observers say the new patching deadlines are an important step forward.
"We often see vulnerabilities several years old that are still being exploited in the wild. So having a 15 day or 30 day deadline to patch vulnerable sites is definitely a step in the right direction," says Mounir Hahad, the head of Juniper Threat Labs, a threat intelligence portal.
To determine what is a critical or high vulnerability, DHS and the Cybersecurity and Infrastructure Security Agency are relying on the Common Vulnerability Scoring System version 2. Most of the cybersecurity industry, however, has shifted over the past several years to CVSS version 3, released in 2015.
If DHS relies on CVSS version 2, it could mean that businesses and federal agencies might have different standards when it comes to what is considered a critical or high software vulnerability. A DHS spokesperson did not immediately reply to a request for comment.
The most critical step, Hahad of Juniper says, is for each federal agency to address the specific threats that they face.
"It has been demonstrated that CVSSv3 has a tendency of scoring vulnerabilities at a higher score than CVSSv2, so sticking with CVSSv2 potentially lightens the load on agencies," Hahad says. "But the message is clear: Each agency needs to adjust the CVSS score of a vulnerability based on its own specific circumstances, like architectures, mission and assets."