Vertical markets, Americas, Content

Memo to U.S. Federal Agencies: Patch Critical Vulnerabilities Faster

A U.S. Department of Homeland Security (DHS) cybersecurity directive now requires federal government agencies to patch "critical" security vulnerabilities within 15 calendar days of detection; previously, agencies had 30 calendar days to patch these vulnerabilities.

The new DHS cybersecurity directive, "Vulnerability Remediation Requirements for Internet-Accessible Systems," also includes the following vulnerability review and remediation mandates:

  • "High" vulnerabilities must be reported within 30 days of detection.
  • Agencies must submit a completed remediation plan within three working days of receipt.
  • If vulnerabilities are not remediated within a specific time frame, DHS's Cybersecurity and Infrastructure Security Agency (CISA) will send a partially populated remediation plan identifying all overdue, in-scope vulnerabilities to the agency points of contact (POCs); the agency then must submit a completed remediation plan within three working days of receipt.

In addition, CISA monitors federal agency progress relative to security vulnerability patching. It tracks the remediation of critical and high vulnerabilities via cyber hygiene scanning and validates compliance via reports.

How Does CISA Support Federal Government Agencies?

CISA is taking the following actions to help federal government agencies comply with the new cybersecurity directive:

  • Providing regular reports to federal agencies on cyber hygiene scanning results and current status, as well as a federal enterprise "scorecard" report to agency leadership.
  • Providing standard remediation plan templates for federal agencies to use if remediation efforts exceed required time frames.
  • Engaging agency POCs to discuss agency status and provide technical expertise and guidance for remediation of specific vulnerabilities.
  • Engaging agency CIOs, CISOs and other cybersecurity professionals throughout the escalation process as needed.
  • Providing monthly cyber hygiene reports to the Office of Management and Budget (OMB) to identify cross-agency trends and challenges and facilitate potential policy and/or budget-related actions and remedies.

MSSPs also can help federal government agencies comply with the DHS cybersecurity directive. They can provide managed security services to help federal government agencies identify and address vulnerabilities, along with tips and recommendations to help these agencies improve their security posture.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.