The Cybersecurity and Infrastructure Security Agency on Wednesday directed federal agencies to adopt a new risk-based approach to fixing vulnerabilities in their systems.

CISA’s binding operational directive (BOD) establishes new deadlines for vulnerability remediation based on four factors: whether affected systems are exposed to the internet, whether threat actors are exploiting the flaw, whether the exploit is automatable and whether exploitation gives attackers at least partial control of the affected system.

The new system reflects an increasingly complex and dangerous threat environment in which both internet-exposed devices and serious vulnerabilities are proliferating quickly — and in which AI is making it easier for hackers to automate attacks that use those vulnerabilities to breach devices.

“Prioritizing IT and security operations’ attention on the most at-risk assets is particularly important now, given advancements in artificial intelligence which allow threat actors to find and exploit vulnerabilities in these assets,” Chris Butera, CISA’s acting executive assistant director for cybersecurity, told reporters during a briefing on Wednesday. “Defenders cannot afford to take weeks to patch systems that can be autonomously exploited en masse.”

Under the new prioritization scheme, which takes effect Dec. 7, agencies will have three days to address actively exploited, automatable vulnerabilities that grant hackers at least partial control over internet-facing systems. In cases where the vulnerability would grant hackers total control, agencies also have to perform a forensic triage of the affected assets to determine if they have been compromised. (CISA’s implementation guidance for the BOD describes how agencies should perform triages.)

The BOD establishes looser deadlines for other situations. Agencies will have two weeks to address actively exploited vulnerabilities that would grant partial control over internet-facing systems but are not automatable. (In cases where exploitation is not automatable but would grant full control, agencies would still need to remediate within three days and perform a forensic triage.) There are also longer deadlines for vulnerabilities that hackers are not yet exploiting, as well as for vulnerabilities affecting systems that are not exposed to the internet.

Nick Andersen, CISA’s acting director, said in a statement that the directive was aimed at “empowering federal civilian agencies to focus their efforts on the areas of highest risk and to defer patching lower priority vulnerabilities.”

Implementation timeline

Beginning on Wednesday, agencies must update their vulnerability handling procedures to reflect CISA’s directive, including assigning responsibilities to the appropriate employees and establishing compliance and tracking processes. They must also monitor CISA’s Known Exploited Vulnerabilities (KEV) catalog for new entries, automatically report their vulnerability remediation status through CISA’s Continuous Diagnostics and Mitigation dashboard and ensure their systems allow CISA to conduct its periodic Cyber Hygiene scans.

Agencies must have fully updated their vulnerability management processes to account for the BOD’s timelines by Aug. 9, 60 days after Wednesday’s issuance of the directive. They must begin implementing those remediation processes by Dec. 7, 180 days after the BOD’s release. As part of that work, they must tag all internet-accessible devices with information that they and CISA can use to monitor the devices.

CISA said it would release guidance on tagging within 60 days. It also committed to regularly reporting to agencies on the results of its vulnerability scans. And once a year, it said, it will conduct a “data-driven reassessment” of the BOD’s deadlines to determine whether to shorten them. The agency will also update its triage guidance as necessary.

Practicality concerns

The directive’s tight timelines for the most serious vulnerabilities could be a challenge for some agencies to meet. Many agencies, even some large Cabinet-level departments, have small cybersecurity teams and scattershot asset visibility, which will make it difficult for them to remediate flaws by the deadlines.

Some agencies are also likely to struggle with the complex triage process, which involves activities that their security teams may not be used to performing.

The tightest deadlines could even lead to disruptions at some agencies. Because patches sometimes take more than three days for vendors to develop, the requirement to either patch or disconnect a vulnerable device within that timeframe could force agencies to operate without critical systems until they receive and validate a patch.

During Wednesday’s briefing, Butera said CISA was confident that all agencies would be able to implement the directive.

“We do believe the agencies should be able to meet the three-day deadline,” he said. “On the forensic triage piece, we do understand that some of this is going to be a newer step for some of the federal agencies to do.” The 180-day implementation window offers agencies “a good runway,” he added, and CISA will be able to help agencies that still struggle.

“We are hopeful that this binding operational directive will not require additional work for the agencies,” he said, “but rather allow them to better prioritize the patching.”