A Department of Homeland Security (DHS) order now requires agencies to remediate critical vulnerabilities discovered on their systems in 15 days – cutting in half the previous deadline of 30 days.
That’s according to a Tuesday binding directive, which is a compulsory order for federal, executive branch, departments and agencies “for purposes of safeguarding federal information and information systems.”
The initiative, released by the DHS Cybersecurity and Infrastructure Security Agency (CISA) unit, now requires federal agencies to remediate critical security vulnerabilities within 15 days from the initial detection. Vulnerabilities that are merely “high” in severity, meanwhile, must be remediated within 30 days after detection.
“As federal agencies continue to expand their internet presence through increased deployment of Internet-accessible systems, and operate interconnected and complex systems, it is more critical than ever for federal agencies to rapidly remediate vulnerabilities that otherwise could allow malicious actors to compromise federal networks through exploitable, externally-facing systems,” according to the directive.
The directive supersedes a previous 2015 DHS order, which ordered departments and agencies to mitigate critical vulnerabilities on their internet-facing systems within 30 days “of issuance of their weekly ‘Cyber Hygiene report.'”
Jeanette Manfra, assistant director for Cybersecurity for CISA, said that the average time between discovery and exploitation of a vulnerability is decreasing, and adversaries are growing more skilled and persistent.
“CISA released [the directive] to continue to take deliberate steps to reduce the overall attack surface and minimize the risk of unauthorized access to federal information systems,” she said. “[The directive] introduces a shorter mitigation time frame for critical vulnerabilities and a new mitigation time frame for high vulnerabilities, to further reduce the attack surface and risk to federal agency information systems.”
The directive comes as the government pushes for further security measures across various agencies.
The DHS in January ordered all federal agencies to urgently audit Domain Name System (DNS) security for their domains in the next 10 business days, warning that multiple government domains have been targeted by DNS hijacking attacks, allowing attackers to redirect and intercept web and mail traffic.
The directive also comes as the federal government in March stepped up its game with proposals of budget line items that would requisition nearly $11 billion for cyber initiatives, and the introduction of an Internet of Things (IoT) Cybersecurity Improvement Act of 2019 (which would require that devices purchased by the government to meet certain minimum security requirements).
While security experts praised the initiative, they argued that the directive could go even further in trying to quickly stamp out vulnerabilities across governmental organizations.
“I would argue that the directive does not go far enough to call out critical vulnerabilities for which proofs of concept may already be published or for which developing an exploit is trivial,” said Mounir Hahad, head of Juniper Networks’ Juniper Threat Labs. “Those indeed have a higher chance of being exploited by threat actors in record time. In my view, 15 days for remediation is too slow in those circumstances.”