A new binding operational directive (BOD) from the Department of Homeland Security (DHS) released Monday, April 29, requires agencies to remediate critical vulnerabilities identified by the Cybersecurity and Infrastructure Security Agency (CISA) within 15 days of detection, a reduction from 30 days.
BOD 19-02 also establishes a new category of vulnerabilities – high vulnerabilities, which must be remediated in 30 days. The directive noted that tracking of high vulnerabilities began in March to support the new efforts.
“Empirical evidence from government and industry continues to demonstrate the need to remediate significant vulnerabilities closer to the time of detection,” the directive states.
For agencies who don’t finish their remediation within the allotted time, CISA will provide a partially completed remediation plan and require agencies to return the plan within three days. While this timeframe may seem short, CISA “expects agencies to begin formulating remediation strategies well in advance of the 15 and 30-day deadlines.”
While the directive requires agencies to remediate critical vulnerabilities in 15 days, DHS is not endorsing a two-week wait for agencies.
“The 15 day and 30-day requirements in the BOD are the latest agencies should remediate all critical and high vulnerabilities to Internet-accessible devices,” the directive states.