CISA to monitor fed agencies’ speed in fixing data vulnerabilities
The Cybersecurity and Infrastructure Security Agency has ordered nearly all federal agencies to rapidly remediate data vulnerabilities within their information systems.
Critical vulnerabilities must be remediated within 15 calendar days of discovery, and high importance vulnerabilities must be resolved within 30 calendar days of initial detection.
The binding operational directive from CISA—an agency organized under the Department of Homeland Security—covers all federal executive branch departments and agencies except for the Department of Defense, Central Intelligence Agency and Office of the Director of National Intelligence.
The order includes the Department of Health and Human Services, which oversees the nation’s vast healthcare delivery system. CISA will monitor the progress of HHS and other federal agencies and will engage senior leaders, chief information security officers, chief information officers and risk management officials as necessary and appropriate.
Homeland Security will expect agencies to review what are known as cyber hygiene reports, which are issued by CISA. If vulnerabilities are not remediated within specified timeframes, CISA will send a partially populated remediation plan and expect the entity to return the completed remediation plan within three working days of receipt.
“As federal agencies continue to expand their Internet presence through increased deployment of Internet-accessible systems, and operate interconnected and complex systems, it is more critical than ever for federal agencies to rapidly remediate vulnerabilities that otherwise could allow malicious actors to compromise federal networks through exploitable, externally facing systems,” according to CISA.
“Recent reports indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today’s adversaries are more skilled, persistent and able to exploit known vulnerabilities.”