Tightened vulnerability remediation deadlines for US govt agencies

A new directive issued by the United States Cybersecurity and Infrastructure Agency - CISA, part of the Department of Homeland Security - makes it compulsory for government agencies to sort out critical vulnerabitlies within 15 calendar days of detection, halving the current deadline.

The binding operational directive 19-02 further states that high vulnerabilties must be remediated within 30 calendar days. 

CISA's BOD 19-02 supersedes the earlier BOD 15-01 issued in 2015 that required government agencies to review and remediate critical vulnerabilities on Internet-facing systems within 30 days from the issuance of the National Cybersecurity and Communications Integration Centre's weekly Cyber Hygiene report.

Halving the time within which critical must be fixed is a response to threat actors are now quicker to exploit vulnerabilties than in the past.

"Recent reports from government and industry partners indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today’s adversaries are more skilled, persistent, and able to exploit known vulnerabilities," CISA wrote.

CISA made it clear that the 15 and 30 day deadlines "are the latest agencies should remediate all critical and high vulnerabilites to Internet-accessible devices", and that fixes should be applied as quickly as possible.

Agencies have to submit completed remediation plans within three working days to CISA.

Delayed remediation can be granted on a case-by-case basis, provided agencies submit detailed justification in their plans to the CISA.

Prior to reviewing and remediating criticial and high vulnerabilties, US government must ensure cyber hygiene scanning access by removing internet protocol addresses for the CISA monitoring and reporting service so as to avoid false positives.

In January this year, CISA issued an emergency directive in response to a global campaign attempting to commandeer domain name system (DNS) infrastructure.

The campaign targets governments, telcos and internet infrastructure organisations in North America, Europe, the Middle East and Africa, and is believed emanate from Iran.