DHS: Patch Within 15 Days—Or Else

The Department of Homeland Security has issued a new directive to government agencies, ordering them to quickly patch critical security vulnerabilities found on their networks within 15 calendar days.

A new study is released almost every day that shows how patching continues to impact most organizations with real consequences. Nearly 60% of organizations that have suffered a data breach in the past two years cite a known vulnerability for which they had not yet patched as the culprit. The Equifax breach, which affected 148 million people, was blamed on a single IT staffer for not patching.

The new Binding Operational Directive (BOD) 19-02 from DHS instructs federal agencies and departments to address “critical” rated vulnerabilities within 15 days and “high” severity flaws within 30 days of initial detection. The clock to patch compliance will start when the vulnerability was initially detected during CISA’s weekly Cyber Hygiene scanning, rather than it was the first report to the affected agencies.

It looks like the federal government is getting serious about cyber security. This is the second BOD that CISA has released this year. Following a series of DNS hijacking incidents, the agency issued an “emergency directive” earlier this year, ordering federal agencies to audit DNS records for their respective website domains and other agency-managed domains within 10 days.

Syxsense integrates naturally into your environment without interrupting business. Through maintenance windows, you automate both the ongoing discovery of any new devices as well as the immediate response when vendors release critical patches. Know you are secure rather than worrying about it.