Binding Operational Directive 19-02
April 29, 2019
Vulnerability Remediation Requirements for Internet-Accessible Systems
This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 19-02, “Vulnerability Remediation Requirements for Internet-Accessible Systems”.
A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.
Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives.
Federal agencies are required to comply with DHS-developed directives.
These directives do not apply to statutorily defined “national security systems” nor to certain systems operated by the Department of Defense or the Intelligence Community.
As federal agencies continue to expand their Internet presence through increased deployment of Internet-accessible systems, and operate interconnected and complex systems, it is more critical than ever for federal agencies to rapidly remediate vulnerabilities that otherwise could allow malicious actors to compromise federal networks through exploitable, externally-facing systems. Recent reports from government and industry partners indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today’s adversaries are more skilled, persistent, and able to exploit known vulnerabilities. The federal government must continue to take deliberate steps to reduce the overall attack surface and minimize the risk of unauthorized access to federal information systems as soon as possible.
Binding Operational Directive 15-01: Critical Vulnerability Mitigation Requirement for Federal Civilian Executive Branch Departments and Agencies’ Internet-Accessible Systems1 established requirements for federal agencies to review and remediate critical vulnerabilities on Internet-facing systems identified by the National Cybersecurity and Communications Integration Center (NCCIC) within 30 days of issuance of their weekly Cyber Hygiene report. Since its issuance in 2015, the prior National Protection and Programs Directorate and the current Cybersecurity and Infrastructure Security Agency (CISA) oversaw a substantial decrease in the number of critical vulnerabilities over 30 calendar days and a significant improvement in how agency teams identified and responded to these vulnerabilities in a timely manner. By implementing specific remediation actions, and initiating ongoing monitoring and transparent reporting via CISA’s Cyber Hygiene service,2 BOD 15-01 helped drive progress and enhance the federal government’s security posture. In support of BOD implementation, CISA leverages Cyber Hygiene scanning results to identify cross-government trends and persistent constraints, and works with the Office of Management and Budget (OMB) to help impacted agencies overcome technical and resource challenges that prevent the rapid remediation of vulnerabilities.
The federal government must continue to enhance our security posture, reduce risks posed by vulnerable Internet-accessible systems, and build upon the success of BOD 15-01 by advancing federal requirements for high and critical vulnerability remediation to further reduce the attack surface and risk to federal agency information systems.
This directive supersedes BOD 15-01, Critical Vulnerability Mitigation Requirement for Federal Civilian Executive Branch Departments and Agencies’ Internet-Accessible Systems (May 21, 2015), which is hereby revoked.
To ensure effective and timely remediation of critical and high vulnerabilities identified through Cyber Hygiene scanning, federal agencies shall complete the following actions:
Ensure Access and Verify Scope
a. Ensure Cyber Hygiene scanning access by removing Cyber Hygiene source IP addresses from block lists.
b. Within five working days of the change, notify CISA at email@example.com of any modifications to your agency’s Internet-accessible IP addresses. This includes newly acquired Internet-accessible IP addresses or re-assigned Internet-accessible IP addresses that are no longer part of the agency’s asset inventory.
c. Upon request from CISA, submit updated Cyber Hygiene agreements to firstname.lastname@example.org.
Review and Remediate Critical and High Vulnerabilities
a. Review Cyber Hygiene reports issued by CISA and remediate the critical and high vulnerabilities detected on the agency’s Internet-accessible systems as follows:
- Critical vulnerabilities must be remediated within 15 calendar days of initial detection.
- High vulnerabilities must be remediated within 30 calendar days of initial detection.
b. If vulnerabilities are not remediated within the specified timeframes, CISA will send a partially populated remediation plan identifying all overdue, in-scope vulnerabilities to the agency POCs for validation and population. Agencies shall return the completed remediation plan within three working days of receipt to email@example.com. The recipient of the remediation plan shall complete the following fields in the remediation plan:
- Vulnerability remediation constraints
- Interim mitigation actions to overcome constraints
- Estimated completion date to remediate the vulnerability
CISA will monitor federal agency progress and will engage agency senior leadership, such as Chief Information Security Officer (CISO), Chief Information Officer (CIO), and Senior Accountable Official for Risk Management (SAORM), as necessary and appropriate, when the agency has not met the Required Action deadlines specified above.
CISA also will track the remediation of critical and high vulnerabilities through persistent Cyber Hygiene scanning and will validate compliance with the BOD requirements through these reports.
CISA will provide regular reports to federal agencies on Cyber Hygiene scanning results and current status, and a Federal Enterprise ‘scorecard’ report to agency leadership.
CISA will provide standard remediation plan templates for federal agencies to populate if remediation efforts exceed required timeframes.
CISA will engage agency POCs to discuss agency status and provide technical expertise and guidance for the remediation of specific vulnerabilities, as requested and appropriate.
CISA will engage Agency CIOs, CISOs, and SAORMs throughout the escalation process, if necessary.
CISA will provide monthly Cyber Hygiene reports to OMB to identify cross-agency trends, persistent challenges, and facilitate potential policy and/or budget-related actions and remedies. The report will also ensure alignment with other OMB-led cybersecurity oversight initiatives.
Frequently Asked Questions
- When do the 15 and 30 day “clocks” start for remediation?
- When will CISA start including high severity vulnerabilities in agencies’ reports?
- But aren’t today’s exploits to Internet-accessible devices measured in minutes and hours, not weeks?
- Why does BOD 19-02 treat all Internet-accessible devices equally and considers all critical and high vulnerabilities the same?
- Why is CISA requiring the return of completed remediation plans within three working days?
- What if there’s a valid rationale for delaying remediation?
- What’s the process for resolving false positives?
- Which version of the Common Vulnerability Scoring System (CVSS) does CISA use?
- Where can I locate Cyber Hygiene’s source IP addresses so my agency doesn’t add them to block lists?
When do the 15 and 30 day “clocks” start for remediation?
BOD 19-02 starts tracking vulnerabilities from the point of initial detection, rather than the date of first report to agencies. To facilitate tracking, the ‘detection date’ of each vulnerability is included in the findings.csv attachment under appendix G within agency Cyber Hygiene reports.
Empirical evidence from government and industry continues to demonstrate the need to remediate significant vulnerabilities closer to the time of detection. CISA encourages agencies to use internal scanning capabilities to detect vulnerabilities prior to the delivery of weekly Cyber Hygiene reports. CISA is exploring the sending of alerts to agencies as vulnerabilities are discovered to help bridge the gap between detection and notification.
When will CISA start including high severity vulnerabilities in agencies’ reports?
In preparation for BOD 19-02, the Federal Cyber Exposure Scorecard (FCES) to agency leadership started showing high vulnerability counts, in addition to the critical vulnerability counts, in March 2019. CISA will continue to scan for and report on vulnerabilities of all severities (from low to critical) and include this information in agencies’ weekly Cyber Hygiene reports.
But aren’t today’s exploits to Internet-accessible devices measured in minutes and hours, not weeks?
Agencies are responsible for managing risk to their networks, and should remediate vulnerabilities to critical systems as quickly as possible. The 15 day and 30 day requirements in the BOD are the latest agencies should remediate all critical and high vulnerabilities to Internet-accessible devices.
Why does BOD 19-02 treat all Internet-accessible devices equally and considers all critical and high vulnerabilities the same?
Agencies are responsible for managing cybersecurity risk in their environments. CISA encourages agencies to apply additional parameters, rules, and internal policy decision points which may affect the acceptable timeframes to remediate specific types of vulnerabilities or vulnerabilities to certain types of devices. CISA recommends configuring patch management and vulnerability management programs to exceed BOD 19-02 requirements and to prioritize certain vulnerabilities and devices over others as part of normal security operations.
Why is CISA requiring the return of completed remediation plans within three working days?
CISA expects agencies to begin formulating remediation strategies well in advance of the 15 and 30 day deadlines, to accelerate remediation of vulnerabilities and allow easy integration of remediation information into plans for submittal to CISA once baselines are surpassed. CISA is compensating for the short turn-around time by providing a mostly pre-populated remediation plan for agency personnel to complete. Agencies only need to complete the data fields for mitigation steps, constraints, and estimated completion dates. This will ensure agencies are reporting the correct vulnerabilities within remediation plans, especially prior to changes introduced by the next week’s Cyber Hygiene reports.
What if there’s a valid rationale for delaying remediation?
Please document the justification for delayed remediation in the remediation plan provided by CISA (within the data column ‘remediation constraints’). CISA understands the distinctiveness of agency networks and the dependences involved in vulnerability remediation and is willing to work with agencies on a case-by-case basis when remediation is not feasible within established timeframes. Within the remediation plan, please be as descriptive as possible in detailing the justification for the delay.
What’s the process for resolving false positives?
To report a Cyber Hygiene-identified vulnerability as a false positive, please submit an email through your agency’s POC to firstname.lastname@example.org (and cc: email@example.com) with analysis and supporting evidence for determination (for example, a screenshot of the IP address and operating system). CISA will review your submission and perform necessary analysis to validate the assertion. This will not include exploiting a vulnerability, but may include actively sending packets to the host in question. CISA reserves the right to assert that findings are not false positives, but if CISA’s analysis appears to confirm your agency’s assertion, the vulnerability will be marked as a false positive.
Please utilize the False Positive Assertion form attached within your Cyber Hygiene report to organize your submission. The “cyber-hygiene-false-positive-assertion-form.pdf” attachment is located under Appendix G, and by clicking on the paper clip icon for the file. False positive status expires 365 days after designation by CISA and agencies are required to re-submit evidence on an annual basis to confirm the vulnerability remains a false positive. Vulnerabilities marked as ‘false positives’ will stop appearing in the main body of report for one year and will instead be reported in Appendix E: False Positive Findings, along with the expiration date of the false positive.
Note: CISA acceptance of false positive assertions is not confirmation that a finding is indeed a false positive.
Which version of the Common Vulnerability Scoring System (CVSS) does CISA use?
Cyber Hygiene leverages CVSS version 2, which is a vulnerability scoring system designed to provide a universally open and standardized method for rating IT vulnerabilities. Agencies, where capable and practical, should apply environmental scoring to Cyber Hygiene results as part of the identification of critical and high vulnerabilities and adjust base CVSS scores to be meaningful to their architectures, missions and assets.
Where can I locate Cyber Hygiene’s source IP addresses so my agency doesn’t add them to block lists?
The website containing Cyber Hygiene’s source IP addresses is included within the Methodology section of agencies’ weekly Cyber Hygiene reports and can be provided to agencies upon request to firstname.lastname@example.org.
DHS Binding Operational Directive 15-01 was issued on May 21, 2015. ↩
Cyber Hygiene leverages the Common Vulnerability Scoring System (CVSS), which is a vulnerability scoring system designed to provide a universally open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize vulnerability management strategies by providing a score representative of the base, temporal, and environmental properties of a vulnerability. ↩