U.S. federal civilian agencies now have 15 days to patch critical
vulnerabilities after they’re discovered, following a recently issued binding operational directive.
The U.S. Department of Homeland Security’s (DHS’s)
Cybersecurity and Infrastructure Agency (CISA) decreased the time agencies
have to patch—from 30 to 15 days—for critical vulnerabilities. Agencies must
patch high risk vulnerabilities within 30 days.
“Recent reports from government and industry partners
indicate that the average time between discovery and exploitation of a
vulnerability is decreasing as today’s adversaries are more skilled,
persistent, and able to exploit known vulnerabilities,” said the memo issued
with the order.
The clock begins ticking for agencies to patch these
vulnerabilities as soon as they are initially discovered—not when the
vulnerability is reported to the agencies.
“Empirical evidence from government and industry continues
to demonstrate the need to remediate significant vulnerabilities closer to the
time of detection,” according to CISA.
DHS has recently been using binding operational directives
to push agencies to strengthen their cybersecurity posture.
“The directives are sometimes published in response to what
officials see as clear-and-present cyberthreats,” CyberScoop reported. “In
January, for example, DHS issued an unprecedented ‘emergency’ directive telling
agencies to shore up their domain name system security after researchers
reported that Iran-linked hackers had manipulated DNS records at organizations
on multiple continents.”
The latest directive, however, will place increasing
pressure on cybersecurity employees—who are facing a workforce shortage. More
than 300,000 cybersecurity positions are unfilled in the United States, which prompted
U.S. President Donald Trump to issue an executive order on Thursday acknowledging
the cybersecurity workforce as “a strategic asset that protects the American
people, the homeland, and the American way of life.”
The order tasks the secretary of homeland security—with the
directors of the Office of Management and Budget and Office of Personnel
Management—to create a cybersecurity rotational assignment program to transfer
and develop practitioners. It also calls on agency heads to identify a list of
cybersecurity aptitude assessments for agencies to use to identify current
employees with the potential to acquire cybersecurity skills and job placement.
“United States government policy must facilitate the
seamless movement of cybersecurity practitioners between the public and private
sectors, maximizing the contributions made by their diverse skills,
experiences, and talents to our nation,” according to the order. “The United
States government must support the development of cybersecurity skills and
encourage ever-greater excellence so that America can maintain its competitive
edge in cybersecurity.”
In an upcoming issue of Security Management, Senior Editor
Megan Gates will explore how companies are responding to the cyber workforce
shortage to attract—and retain—talent.