US gov agencies get mandatory patching orders

By on
US gov agencies get mandatory patching orders

Remediate within two weeks for new bugs.

The United States Cybersecurity and Infrastructure Security Agency (CISA) has made it compulsory that all parts of the federal government quickly patch against known vulnerabilities.

CISA's Binding Operative Directive 22-01 sets out that agencies must establish a remediation process for identified vulnerabilities, and ensure they have roles and responsibilites to do so.

Agencies are required to remediate vulnerabilities listed in a CISA-managed vulnerability catalogue.

Several highly-publicised bugs are listed in the catalogue, including the one in the Accellion File Transfer Application that was used to breach the Reserve Bank of New Zealand and NSW Health.

The catalogue lists over 400 vulnerabilities presently.

Flaws with Common Vulnerabilities and Exposures (CVE) identifiers assigned prior to this year must be remediated within six months.

All other vulnerabilities must be patched within two weeks, a deadline that could be shortened if the flaws are serious enough.

Reporting of patching against vulnerabilities will also be mandatory for government agencies.

CISA will also provide a report to the US Secretary of Homeland Security, the Director of Office Management and Budget, and the National Cyber Security Director on the status of the patching effort.

A rise in exploited vulnerabilities with agencies being slow to patch against them is the reason for the CISA directive.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?