A new operational directive from the Department of Homeland Security placed deadlines on how long federal agencies have to patch vulnerabilities.
The Binding Operational Directive (BOD) 19-02 sets new DHS patching rules stating that federal agencies have 15 days to patch critical vulnerabilities and 30 days for flaws that are rated high. The directive only applies to federal systems that are accessible via the internet. If an agency cannot patch a vulnerability in the given timeframe, it will have three working days to submit a remediation plan to DHS’ Cybersecurity and Infrastructure Security Agency (CISA).
The previous DHS patching directive, enacted in 2015, set a 30-day deadline for remediating critical vulnerabilities, but did not mention other types of vulnerabilities. Federal agencies have struggled with patching vulnerabilities in the past. A 2018 report from the U.S. Government Accountability Office, which surveyed 24 agencies, found that patching was a common weakness because agencies “had not fully implemented key elements of their information security programs.”
Chris Goettl, director of product management security at Ivanti, noted that the previous patching directive was successful.
“This mandate helped federal agencies to drive the average time to patch for critical vulnerabilities from 149 days on average to 20 days on average. Their desire to continue driving this time down to 15 days is the right direction,” Goettl said. “If you look at how quickly threat actors can reverse-engineer an update to create and exploit a vulnerability, the reason for this target time to patch becomes apparent. More than half of vulnerabilities that become exploited occur within two to four weeks of release of an update from the vendor.”
Jeanette Manfra, assistant director for cybersecurity at CISA, wrote in a blog post that agencies are encouraged to patch flaws faster than the 15-day deadline if they wish to, and encouraged others in both the public and private sector to set similar requirements.
“While many agencies, based on risk management decisions, may look to exceed the directive’s actions and timelines, BOD 19-02 ensures that all agencies are at least meeting the directive requirements,” Manfra wrote in a blog post. “The federal government must continue to enhance our security posture, reduce risks posed by vulnerable internet-accessible systems, and build upon the success of past initiatives by advancing federal requirements for high and critical vulnerability remediation to further reduce the risk to federal agency information systems.”
The new DHS patching rules may not apply to all software flaws. The directive noted that the deadlines specifically apply to vulnerabilities on internet-accessible systems identified by the National Cybersecurity and Communications Integration Center (NCCIC) in their weekly Cyber Hygiene report.
Mounir Hahad, head of Threat Labs for Juniper Networks, questioned how this limitation would affect what vulnerabilities are reported for patching.
“The security research community is very good are making responsible disclosures to the vendors impacted, who can work on producing patches without rushing a solution. In this case, the NCCIC may not even have visibility into those vulnerabilities and will certainly not disclose the ones it is aware of nor include them in cyber hygiene scans for fear of leakage,” Hahad said. “In the case [of zero-days], all bets are off because threat actors are already exploiting it, so vendors have to rush a fix to mitigate the situation. One week should be enough for the first case, while an emergency patch has to be scheduled as soon as vendors produce patches.”
Usman Rahim, digital security and operations manager at The Media Trust, said agencies should form teams focused on mitigating threats from unpatched vulnerable systems in order to meet the DHS patching deadlines.
Usman RahimDigital security and operations manager, The Media Trust
“DHS has become more agile in identifying and mitigating the security flaws that impact many government organizations. The timeline helps agencies prioritize and take action on high-impact security flaws. It also gives agencies the impetus to work with action plans, structure and deadlines to mitigate reported threats,” Rahim said. “The timeline is reasonable for agencies that already have a structure and plans in place. Agencies that don’t will find the deadlines impossible to meet.”
Mark Orlando, CTO of cyber protection solutions at Raytheon Intelligence, was skeptical that the timelines were realistic, but noted that “it is important to set deadlines that those agencies can work towards and against which they can measure their efforts.
“The big problem with patching is you have to know what systems you have first, and I think a lot of organizations still struggle with asset management. Agencies are still trying to get their arms around that challenge and need to get that visibility before they can consistently meet these deadlines,” Orlando wrote via email. “That being said, with additional time, the guidelines should be achievable and it is a good thing that DHS is putting these deadlines in place. We need to start somewhere, so having this baseline — even if the timeline isn’t achievable yet — gives agencies a goal to work towards.”
Goettl added that the deadlines were realistic, but “not without effort.”
“To make a mandate like this successful you need to have the entire business on board with this change. The DHS has created this success by making this a mandate and likely a cultural change, but there is more to it than just will,” Goettl said. “To be successful there needs to be a cultural change from the C-level on down that security is taken seriously. The first business owner to push back and get the C-suite to overturn the policy will cripple any momentum.”