CISA directive gives agencies 60 days to update vulnerability management

Departments will have to provide a copy of their new policies and procedures to CISA if asked.
CISA, DHS, Department of Homeland Security, RSA 2019
(Scoop News Group photo)

Departments across the federal government will have 60 days to review and update vulnerability management procedures under a new directive issued Wednesday by the Cybersecurity and Infrastructure Security Agency.

According to the document, agencies will also have to provide a copy of their new policies and procedures to the Department of Homeland Security agency if asked.

Other required actions from agencies under the directive include remediating vulnerabilities according to the timelines set out in the vulnerability catalog managed by the Cybersecurity and Infrastructure Security Agency (CISA.) Departments also will have to provide CISA with details about the status of vulnerabilities listed in the catalog.

Agencies additionally are expected to automate data exchange and to report their respective implementation status through CISA’s Continuous Diagnostics and Mitigation (CDM) federal dashboard.


The latest edict from CISA comes amid a push to fast-track the improvement of cybersecurity across federal agencies and to remediate security flaws in software development.

CISA in the document said it will continue to assist agencies to address cybersecurity flaws by closely maintaining its vulnerability catalog and alerting agencies where necessary.

The oversight agency also will provide a status report on vulnerabilities at the end of each fiscal year to the secretary of DHS, the director of the Office of Management and Budget and the National Cyber Director to identify the status of vulnerability fixes across agencies.

Latest Podcasts