Why patch management now takes agencies 20 days instead of 149

CISA boosted efficiency with a binding operational directive, one of several guidances it's issued to improve cybersecurity risk postures governmentwide.
Chris Krebs, DHS, CISA
Chris Krebs speaks April 4, 2019, at the Cybersecurity Leadership Forum presented by Forcepoint and produced by CyberScoop and FedScoop. (CyberScoop)

It once took federal agencies an average of 149 days to patch critical vulnerabilities once they were alerted, but now that number is down to an “impressive” 20 days, says Chris Krebs, head of the Department of Homeland Security’s cybersecurity agency.

The boost in efficiency is due to one of the first binding operational directives the department ever issued, Krebs said Tuesday at the AFCEA Homeland Security Conference in Washington, D.C.

CISA now has a new goal of 15 days to patch, said Krebs, the director of the Cybersecurity and Infrastructure Security Agency. The Department of Homeland Security has had a “great deal of success” improving the cybersecurity risk postures of federal agencies by issuing guidances like BODs and emergency directives, Krebs added. The patch management BOD was issued in 2015, and there have been more than a half-dozen since then.

Those kinds of efforts have ripple effects beyond agencies, he said.


“When the government acts and the government acts publicly, others take heed,” he said. “So this is kind of the Spider-Man problem of ‘with great power comes great responsibility.’”

During the 35-day government shutdown, CISA issued an emergency directive in response to a global domain name system tampering campaign largely targeting overseas and Middle Eastern governments but with some activity running through the U.S. All federal civilian agencies were required to reset passwords, enable multi-factor authentication, audit domain name system (DNS) records, and look at certificate transparency logs CISA issued.

The first coordination call held during the shutdown had the highest participation of any to that point, Krebs said, and state and local partners like New York City’s chief information security officer followed suit executing the emergency directive.

“This is not the first time we’ve seen binding operational directives or emergency directives, in this case, be taken on by our private sector partners,” he said.

The most well-known is 2017’s Kaspersky Lab BOD, where CISA gave agencies 90 days to remove the Russian cybersecurity providers’ products from their environments and replace them to manage their risk.


“That one went according to plan,” Krebs said.

Latest Podcasts