DHS Issues New Patching Requirements For Agencies

Today in Security: DHS Issues New Patching Requirements For Agencies

​U.S. federal civilian agencies now have 15 days to patch critical vulnerabilities after they’re discovered, following a recently issued binding operational​ directive.

The U.S. Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Agency (CISA) decreased the time agencies have to patch—from 30 to 15 days—for critical vulnerabilities. Agencies must patch high risk vulnerabilities within 30 days.

“Recent reports from government and industry partners indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today’s adversaries are more skilled, persistent, and able to exploit known vulnerabilities,” said the memo issued with the order.

The clock begins ticking for agencies to patch these vulnerabilities as soon as they are initially discovered—not when the vulnerability is reported to the agencies.

“Empirical evidence from government and industry continues to demonstrate the need to remediate significant vulnerabilities closer to the time of detection,” according to CISA.

DHS has recently been using binding operational directives to push agencies to strengthen their cybersecurity posture.

“The directives are sometimes published in response to what officials see as clear-and-present cyberthreats,” CyberScoop reported. “In January, for example, DHS issued an unprecedented ‘emergency’ directive telling agencies to shore up their domain name system security after researchers reported that Iran-linked hackers had manipulated DNS records at organizations on multiple continents.”

The latest directive, however, will place increasing pressure on cybersecurity employees—who are facing a workforce shortage. More than 300,000 cybersecurity positions are unfilled in the United States, which prompted U.S. President Donald Trump to issue an executive order on Thursday acknowledging the cybersecurity workforce as “a strategic asset that protects the American people, the homeland, and the American way of life.”

​The order tasks the secretary of homeland security—with the directors of the Office of Management and Budget and Office of Personnel Management—to create a cybersecurity rotational assignment program to transfer and develop practitioners. It also calls on agency heads to identify a list of cybersecurity aptitude assessments for agencies to use to identify current employees with the potential to acquire cybersecurity skills and job placement.

“United States government policy must facilitate the seamless movement of cybersecurity practitioners between the public and private sectors, maximizing the contributions made by their diverse skills, experiences, and talents to our nation,” according to the order. “The United States government must support the development of cybersecurity skills and encourage ever-greater excellence so that America can maintain its competitive edge in cybersecurity.”

In an upcoming issue of Security Management, Senior Editor Megan Gates will explore how companies are responding to the cyber workforce shortage to attract—and retain—talent.​