The Department of Homeland Security released a binding operational directive on Monday urging federal agencies to continue complying with regulation that requires periodic assessments of critical network vulnerabilities.
BOD 19-02 is directing agencies to take action based on the Cybersecurity and Infrastructure Security Agency’s “Cyber Hygiene” reports under BOD 15-01, which was issued in 2015 to fortify the federal government’s security posture.
BOD 15-01 requires federal agencies to address the vulnerabilities of their internet-facing systems as identified in their Cyber Hygiene reports within 30 days. As part of the new directive, DHS requires agencies to ensure that critical vulnerabilities identified in Cyber Hygiene reports are remediated within 15 days and high vulnerabilities within 30 days.
Agencies are also required to ensure that Cyber Hygiene personnel have access to scan their networks. CISA will provide agencies with a remediation plan for overdue corrective actions if the deadline was not followed.
CISA works with the National Cybersecurity and Communications Integration Center as well as the Office of Management and Budget to identify critical cyber vulnerabilities and allocate proper resources for agencies in need of cybersecurity assistance.