The US Dept. of Homeland Security this week issued a binding directive, Vulnerability Remediation Requirements for Internet-Accessible Systems. The DHS Cybersecurity and Infrastructure Security Agency (CISA) issued the binding operational directive (BOD) 19-02 which requires federal agencies to remediate critical security vulnerabilities within 15 days since the initial detection. As explained by CISA, “A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.”
According, to Mounir Hahad, head of Juniper Networks’ Juniper Threat Labs, “This is a good initiative, one for which all reputable private sector enterprises already subscribe to via third party scanning services. It wouldn’t surprise me if some government agencies also subscribe to similar services in the private sector as it is definitely a best practice in the industry.
I would argue that the directive does not go far enough to call out critical vulnerabilities for which proofs of concept may already be published or for which developing an exploit is trivial. Those indeed have a higher chance of being exploited by threat actors in record time. In my view, 15 days for remediation is too slow in those circumstances.”