The Department of Homeland Security’s U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued a directive that now gives federal agencies a 15-day deadline to remediate critical-level vulnerabilities that are detected on their internet-accessible systems by CISA’s Cyber Hygiene scanning service.

Binding Operational Directive 19-02 supersedes BOD 15-01, which when enacted in 2015 gave agencies a 30-day window to fix critical vulnerabilities upon detection. The specific vulnerabilities that U.S. agencies must watch out for and rapidly address are listed in the monthly Cyber Hygiene report published by CISA’s National Cybersecurity and Communications Integration Center. In March, the report began listing
high-severity bugs that don’t quite reach critical status, but agencies will still have a larger window of 30 calendar days to correct those.

If vulnerabilities are not remediated in time, then CISA will reach out to that agency, which will have three working days to explain the reasons behind the delay and when a fix can be expected using templates provided by CISA.

“CISA will monitor federal agency progress and will engage agency senior leadership, such as Chief Information Security Officer (CISO), Chief Information Officer (CIO), and Senior Accountable Official for Risk Management (SAORM), as necessary and appropriate, when the agency has not met the Required Action deadlines specified above,” the directive states. “CISA also will track the remediation of critical and high vulnerabilities through persistent Cyber Hygiene scanning and will validate compliance with the BOD requirements through these reports.”

Additionally, agencies must also keep CISA informed whenever they modify one of their internet-accessible IP addresses or add new ones, in order to ensure that CISA’s Cyber Hygiene scanning service can account for these addresses.

The directive also spells out CISA’s responsibilities, which include providing reports and scorecards based on its scanning results, and engaging with agencies to provide technical expertise and guidance.

“Forcing remediation of critical vulnerabilities within 15 days is a good idea, with a few caveats,” said Christian Vezina, CISO at OneSpan.
“While moving from 30 to 15 days is likely to improve overall system posture and shrink attack windows, it may be a stretch for all agencies to meet, so CISA will definitely need to help with remediation templates.”

Still, the new directive’s requirements still might not be stringent enough to mitigate the threat of an active exploit. “Looking at this from another perspective, a deadline of 15 days for vulnerabilities that are not being actively exploited can be acceptable, but it is probably way too long if exploits are already out there being exploited,” Vezina continued. “In such cases, 48 hours should be a maximum window for critical vulnerabilities being actively exploited. Vulnerabilities need to be further prioritized to make the best use of available limited resources.”