DHS: Federal Agencies Need to Patch Vulnerabilities Faster

The U.S. Department of Homeland Security is requiring that federal agencies speed up patching and remediating “critical” and “high” software vulnerabilities.

Under a new directive, Binding Operational Directive (BOD) 19-02, released this week, federal agencies’ IT departments must patch software vulnerabilities deemed critical within 15 calendar days and fix vulnerabilities considered high within 30 days, DHS announced Wednesday. Under previous rules established in 2015, critical vulnerabilities needed remediation within 30 days, and there were no specific guidelines for those vulnerabilities deemed high.

The goal of the directive is to ensure that federal agencies are addressing vulnerabilities in a more pressing manner, especially as the time between the discovery of a vulnerability and the ability of malicious actors to exploit that flaw shrinks, according to the DHS directive.