The Department of Homeland Security has ordered federal civilian agencies to more swiftly plug the vulnerabilities found on their networks, citing evidence that hackers are getting quicker at exploiting such bugs.
In a Binding Operational Directive (BOD) dated April 29, DHS’s Cybersecurity and Infrastructure Security Agency gives agencies 15 days after discovery to fix vulnerabilities deemed critical – as opposed to the 30 days that agencies previously had to address those flaws.
“Recent reports from government and industry partners indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today’s adversaries are more skilled, persistent, and able to exploit known vulnerabilities,” reads the memo from CISA Director Chris Krebs.
The new directive also gives agencies 30 days to fix vulnerabilities labeled “high” in severity, which are a step below critical. That is another change from a 2015 order, now revoked, which did not provide a timeline for agencies to address high vulnerabilities.
The hope is that agencies will be quicker than those deadlines. The order tells agencies to patch or otherwise secure their systems as soon as possible.
Last week, Krebs touted progress he said agencies had made in more quickly fixing software flaws. The average time it takes agencies to patch critical vulnerabilities after discovery is down from 149 days to just 20, he said.
BODs are a blunt tool used by Homeland Security officials when agencies aren’t doing enough to defend their networks on their own. The directives are sometimes published in response to what officials see as clear-and-present cyberthreats. In January, for example, DHS issued an unprecedented “emergency” directive telling agencies to shore up their domain name system security after researchers reported that Iran-linked hackers had manipulated DNS records at organizations on multiple continents.
As with other BODs, the new order doesn’t apply to the Pentagon and intelligence agencies, which are outside of DHS’s policy jurisdiction.
“CISA released [the directive] to continue to take deliberate steps to reduce the overall attack surface and minimize the risk of unauthorized access to federal information systems,” Jeanette Manfra, CISA’s assistant director, wrote in a blog post.