The Cybersecurity and Infrastructure Security Agency (CISA) released its latest Binding Operational Directive (BOD 19-02), “Vulnerability Remediation Requirements for Internet-Accessible Systems”, this week. The directive supersedes BOD 15-01, “Critical Vulnerability Mitigation Requirement for Federal Civilian Executive Branch Departments and Agencies’ Internet-Accessible Systems”, which came out in 2015. BOD 15-01 required federal agencies to remediate critical infosec vulnerabilities within 30 days of detection, in addition to initiating ongoing tracking and monitoring, and led to a significant improvement in the federal government’s security posture.
The new directive has reduced the number of days for review and remediation to 15 days for critical vulnerabilities and 30 days for high vulnerabilities. In case agencies take longer than the given timeframe to fix the vulnerabilities, CISA will send them a partially populated remediation plan. The agencies will then have 3 days to complete the form and return it to CISA. CISA will also provide regular Cyber Hygiene reports to federal agencies.
Read more at the Department of Homeland Security’s Website.