The Department of Homeland Security wants agencies to move even faster to repair system vulnerabilities.
The 2015 requirement to fix critical system vulnerabilities in 30 days is now cut in half, and agencies must fix “high” vulnerabilities in 30 days. DHS issued a new binding operational directive Monday setting the new deadlines for vulnerabilities identified through cyber hygiene scanning.
“The federal government must continue to enhance our security posture, reduce risks posed by vulnerable Internet-accessible systems, and build upon the success of BOD 15-01 by advancing federal requirements for high and critical vulnerability remediation to further reduce the attack surface and risk to federal agency information systems,” wrote Chris Krebs, the director of the Cybersecurity and Infrastructure Security Agency. “Agencies are responsible for managing risk to their networks, and should remediate vulnerabilities to critical systems as quickly as possible. The 15 day and 30 day requirements in the BOD are the latest agencies should remediate all critical and high vulnerabilities to Internet-accessible devices.”
The new directive replaces the one from 2015 that…
