DHS orders agencies to patch faster

DHS’s Cybersecurity and Infrastructure Security Agency now gives agencies 15 days after discovery to fix vulnerabilities deemed critical.
Chris Krebs, DHS
Chris Krebs speaks Oct. 18, 2018, at CyberTalks in Washington, D.C. (FedScoop)

This story first appeared on CyberScoop

The Department of Homeland Security has ordered federal civilian agencies to more swiftly plug the vulnerabilities found on their networks, citing evidence that hackers are getting quicker at exploiting such bugs.

In a Binding Operational Directive (BOD) dated April 29, DHS’s Cybersecurity and Infrastructure Security Agency gives agencies 15 days after discovery to fix vulnerabilities deemed critical – as opposed to the 30 days that agencies previously had to address those flaws.


“Recent reports from government and industry partners indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today’s adversaries are more skilled, persistent, and able to exploit known vulnerabilities,” reads the memo from CISA Director Chris Krebs.

The new directive also gives agencies 30 days to fix vulnerabilities labeled “high” in severity, which are a step below critical. That is another change from a 2015 order, now revoked, which did not provide a timeline for agencies to address high vulnerabilities.

The hope is that agencies will be quicker than those deadlines. The order tells agencies to patch or otherwise secure their systems as soon as possible.

Last week, Krebs touted progress he said agencies had made in more quickly fixing software flaws. The average time it takes agencies to patch critical vulnerabilities after discovery is down from 149 days to just 20, he said.

BODs are a blunt tool used by Homeland Security officials when agencies aren’t doing enough to defend their networks on their own. The directives are sometimes published in response to what officials see as clear-and-present cyberthreats. In January, for example, DHS issued an unprecedented “emergency” directive telling agencies to shore up their domain name system security after researchers reported that Iran-linked hackers had manipulated DNS records at organizations on multiple continents.


As with other BODs, the new order doesn’t apply to the Pentagon and intelligence agencies, which are outside of DHS’s policy jurisdiction.

“CISA released [the directive] to continue to take deliberate steps to reduce the overall attack surface and minimize the risk of unauthorized access to federal information systems,” Jeanette Manfra, CISA’s assistant director, wrote in a blog post.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts