CISA Cuts Deadline For Patching Critical Weaknesses In Half


A new binding operational directive requires agencies to patch critical vulnerabilities in just over two weeks.

Time is of the essence in cybersecurity, and a new Homeland Security binding operational directive shortens the timeline for agencies to patch known weaknesses in their systems.

Homeland Security’s Cybersecurity and Infrastructure Security Agency issued the binding directive Tuesday ordering agencies to enable access for the department’s automated vulnerability scans and to fix critical weaknesses within 15 days.

A previous binding directive issued in 2015 required agencies to patch known critical weaknesses within 30 days. CISA—then called the National Protection and Programs Directorate—coordinated this process with the National Cybersecurity and Communications Integration Center, which sends weekly reports governmentwide about recently discovered vulnerabilities.

The new directive—which supersedes and replaces the 2015 order—includes two specific sets of actions agencies must take going forward.

The first new mandate requires agencies to whitelist the source IP for the National Cybersecurity Assessments and Technical Services, or NCATS, cyber hygiene scans.

Under a separate binding directive issued during the Obama administration, agencies are under orders to allow Homeland Security, through NCATS, to scan their systems regularly. Agencies, in turn, receive weekly reports on issues and vulnerabilities.

The hygiene scans are largely automated, meaning agencies must ensure the scan tool has access to the network. Along with whitelisting—or actively removing from a blacklist, depending on configurations—agencies must also notify CISA and the NCATS team of any “modifications to your agency’s internet-accessible IP addresses,” the directive states.

Once those vulnerabilities are identified, the new directive recodifies the 30-day remediation window for high vulnerabilities but gives a shorter timeframe—15 days—to patch critical weaknesses. If agencies aren’t meeting those deadlines, CISA will get involved.

“If vulnerabilities are not remediated within the specified timeframes, CISA will send a partially populated remediation plan identifying all overdue, in-scope vulnerabilities to the agency [points of contact] for validation and population,” the directive states. “Agencies shall return the completed remediation plan within three working days of receipt.”

That response should include any and all “constraints” on the agency’s ability to fix the vulnerabilities, the timetable for remediation and a detailed plan for how the agency plans to bridge the gap.

Agencies are also encouraged to move faster than the 15- or 30-day timeframe, per a FAQ posted to CISA’s blog.

“Agencies are responsible for managing risk to their networks, and should remediate vulnerabilities to critical systems as quickly as possible,” officials wrote. “The 15-day and 30-day requirements in the BOD are the latest agencies should remediate all critical and high vulnerabilities to Internet-accessible devices.”