In a move to ensure a more secure federal government, executive level departments and agencies must now remediate critical vulnerabilities within 15 calendar days of initial detection and fix high vulnerabilities within 30 calendar days.
The new order, which came out this week, is a part of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive 19-02, “Vulnerability Remediation Requirements for Internet-Accessible Systems.”
This binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.
This new rule applies to all federal executive branch departments and agencies except for the Department of Defense, Central Intelligence Agency, and Office of the Director of National Intelligence.
“As federal agencies continue to expand their Internet presence through increased deployment of Internet-accessible systems, and operate interconnected and complex systems, it is more critical than ever for federal agencies to rapidly remediate vulnerabilities that otherwise could allow malicious actors to compromise federal networks through exploitable, externally-facing systems,” said Christopher C. Krebs, director of CISA in the directive.
“Recent reports from government and industry partners indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today’s adversaries are more skilled, persistent, and able to exploit known vulnerabilities,” he said. “The federal government must continue to take deliberate steps to reduce the overall attack surface and minimize the risk of unauthorized access to federal information systems as soon as possible.
An initial program that started in 2015 entitled, Binding Operational Directive (BOD) 15-01: “Critical Vulnerability Mitigation Requirement for Federal Civilian Executive Branch Departments and Agencies’ Internet-Accessible Systems” established requirements for federal agencies to review and remediate critical vulnerabilities on Internet-facing systems identified by the National Cybersecurity and Communications Integration Center (NCCIC) within 30 days of issuance of their weekly Cyber Hygiene report.
Since that program started there was a substantial decrease in the number of critical vulnerabilities over 30 calendar days and a significant improvement in how agency teams identified and responded to these vulnerabilities.
By implementing specific remediation actions, and initiating ongoing monitoring and transparent reporting via CISA’s Cyber Hygiene service, BOD 15-01 helped drive progress and enhance the federal government’s security posture. In support of BOD implementation, CISA leverages Cyber Hygiene scanning results to identify cross-government trends and persistent constraints, and works with the Office of Management and Budget (0MB) to help impacted agencies overcome technical and resource challenges that prevent the rapid remediation of vulnerabilities.
In a move the build upon the success of BOD 15-01, CISA created BOD 19-02, which supersedes the previous rule.
To ensure effective and timely remediation of critical and high vulnerabilities, federal agencies shall complete the following actions:
1. Ensure access and verify scope
a. Ensure Cyber Hygiene scanning access by removing Cyber Hygiene source IP addresses from block lists.
b. Within five working days of the change, notify CISA of any modifications to your agency’s Internet-accessible IP addresses.
c. Upon request from CISA, submit updated Cyber Hygiene agreements
2. Review and remediate critical and high vulnerabilities
a. Review Cyber Hygiene reports issued by CISA and remediate the critical and high vulnerabilities detected on the agency’s Internet-accessible systems as follows:
– Critical vulnerabilities must be remediated within 15 calendar days of initial detection.
– High vulnerabilities must be remediated within 30 calendar days of initial detection.
b. If vulnerabilities are not remediated within the specified timeframes, CISA will send a partially populated remediation plan identifying all overdue, in-scope vulnerabilities to the agency POCs for validation and population. Agencies shall return the completed remediation plan within three working days of receipt. The recipient of the remediation plan shall complete the following fields in the remediation plan:
• Vulnerability remediation constraints
• Interim mitigation actions to overcome constraints
• Estimated completion date to remediate the vulnerability
“This is a good initiative, one for which all reputable private sector enterprises already subscribe to via third party scanning services,” said Mounir Hahad, head of Juniper Networks’ Juniper Threat Labs. “It wouldn’t surprise me if some government agencies also subscribe to similar services in the private sector as it is definitely a best practice in the industry. I would argue that the directive does not go far enough to call out critical vulnerabilities for which proofs of concept may already be published or for which developing an exploit is trivial. Those indeed have a higher chance of being exploited by threat actors in record time. In my view, 15 days for remediation is too slow in those circumstances.”