US government agencies need to patch critical security flaws within 15 days and high-severity vulnerabilities within 30 days under BOD 19-02, a new Binding Operational Directive issued by the Department of Homeland Security (DHS). The period for fixing critical issues was cut in half, because the previous directive (BOD 15-01) gave organizations 30 days to implement patches.
The DHS states that the new requirements aim to “further reduce the attack surface and risk to federal agency information systems.” Mounir Hahad of Juniper Networks welcomes the stricter patching requirements, but points out that the 15-day period may still be too long for critical flaws that are already being exploited in the wild, or that are very easy to exploit.
Read more: DHS Orders Agencies to Patch Critical Flaws Within 15 Days
