April 29, 2019
This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 19-02, “Vulnerability Remediation Requirements for Internet-Accessible Systems”.
A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.
Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives.
Federal agencies are required to comply with DHS-developed directives.
These directives do not apply to statutorily defined “national security systems” nor to certain systems operated by the Department of Defense or the Intelligence Community.
As federal agencies continue to expand their Internet presence through increased deployment of Internet-accessible systems, and operate interconnected and complex systems, it is more critical than ever for federal agencies to rapidly remediate vulnerabilities that otherwise could allow malicious actors to compromise federal networks through exploitable, externally-facing systems. Recent reports from government and industry partners indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today’s adversaries are more skilled, persistent, and able to exploit known vulnerabilities. The federal government must continue to take deliberate steps to reduce the overall attack surface and minimize the risk of unauthorized access to federal information systems as soon as possible.
Binding Operational Directive 15-01: Critical Vulnerability Mitigation Requirement for Federal Civilian Executive Branch Departments and Agencies’ Internet-Accessible Systems1 established requirements for federal agencies to review and remediate critical vulnerabilities on Internet-facing systems identified by the National Cybersecurity and Communications Integration Center (NCCIC) within 30 days of issuance of their weekly Cyber Hygiene report. Since its issuance in 2015, the prior National Protection and Programs Directorate and the current Cybersecurity and Infrastructure Security Agency (CISA) oversaw a substantial decrease in the number of critical vulnerabilities over 30 calendar days and a significant improvement in how agency teams identified and responded to these vulnerabilities in a timely manner. By implementing specific remediation actions, and initiating ongoing monitoring and transparent reporting via CISA’s Cyber Hygiene service,2 BOD 15-01 helped drive progress and enhance the federal government’s security posture. In support of BOD implementation, CISA leverages Cyber Hygiene scanning results to identify cross-government trends and persistent constraints, and works with the Office of Management and Budget (OMB) to help impacted agencies overcome technical and resource challenges that prevent the rapid remediation of vulnerabilities.
The federal government must continue to enhance our security posture, reduce risks posed by vulnerable Internet-accessible systems, and build upon the success of BOD 15-01 by advancing federal requirements for high and critical vulnerability remediation to further reduce the attack surface and risk to federal agency information systems.
This directive supersedes BOD 15-01, Critical Vulnerability Mitigation Requirement for Federal Civilian Executive Branch Departments and Agencies’ Internet-Accessible Systems (May 21, 2015), which is hereby revoked.
To ensure effective and timely remediation of critical and high vulnerabilities identified through Cyber Hygiene scanning, federal agencies shall complete the following actions:
Ensure Access and Verify Scope
a. Ensure Cyber Hygiene scanning access by removing Cyber Hygiene source IP addresses from block lists.
b. Within five working days of the change, notify CISA at email@example.com of any modifications to your agency’s Internet-accessible IP addresses. This includes newly acquired Internet-accessible IP addresses or re-assigned Internet-accessible IP addresses that are no longer part of the agency’s asset inventory.
c. Upon request from CISA, submit updated Cyber Hygiene agreements to firstname.lastname@example.org.
Review and Remediate Critical and High Vulnerabilities
a. Review Cyber Hygiene reports issued by CISA and remediate the critical and high vulnerabilities detected on the agency’s Internet-accessible systems as follows:
- Critical vulnerabilities must be remediated within 15 calendar days of initial detection.
- High vulnerabilities must be remediated within 30 calendar days of initial detection.
b. If vulnerabilities are not remediated within the specified timeframes, CISA will send a partially populated remediation plan identifying all overdue, in-scope vulnerabilities to the agency POCs for validation and population. Agencies shall return the completed remediation plan within three working days of receipt to email@example.com. The recipient of the remediation plan shall complete the following fields in the remediation plan:
- Vulnerability remediation constraints
- Interim mitigation actions to overcome constraints
- Estimated completion date to remediate the vulnerability
CISA will monitor federal agency progress and will engage agency senior leadership, such as Chief Information Security Officer (CISO), Chief Information Officer (CIO), and Senior Accountable Official for Risk Management (SAORM), as necessary and appropriate, when the agency has not met the Required Action deadlines specified above.
CISA also will track the remediation of critical and high vulnerabilities through persistent Cyber Hygiene scanning and will validate compliance with the BOD requirements through these reports.
CISA will provide regular reports to federal agencies on Cyber Hygiene scanning results and current status, and a Federal Enterprise ‘scorecard’ report to agency leadership.
CISA will provide standard remediation plan templates for federal agencies to populate if remediation efforts exceed required timeframes.
CISA will engage agency POCs to discuss agency status and provide technical expertise and guidance for the remediation of specific vulnerabilities, as requested and appropriate.
CISA will engage Agency CIOs, CISOs, and SAORMs throughout the escalation process, if necessary.
CISA will provide monthly Cyber Hygiene reports to OMB to identify cross-agency trends, persistent challenges, and facilitate potential policy and/or budget-related actions and remedies. The report will also ensure alignment with other OMB-led cybersecurity oversight initiatives.
Frequently Asked Questions
- What is the scope of BOD 19-02, and what is meant by “internet-accessible”?
- If our internet-accessible application is only available to our agency, is that IP out of scope?
- Is shared infrastructure (e.g., FedRAMP) in scope?
- How was my agency’s scope of currently scanned systems determined?
- What types of changes to my agency’s scope do I need to report?
- The Directive requires us to ensure Cyber Hygiene scans are not blocked. What does that mean?
- Where can I locate Cyber Hygiene’s source IP addresses so my agency doesn’t add them to block lists?
- Which version of the Common Vulnerability Scoring System (CVSS) does CISA use?
- When do the 15 and 30 day “clocks” start for remediation?
- Will CISA alert closer to the point of initial detection?
- Why doesn’t the Directive prioritize which critical or high vulnerabilities are more important to remediate first?
- When will CISA start including high severity vulnerabilities in agencies’ reports?
- I fixed a vulnerability listed in my report. Can you do an out of band scan to verify?
- What’s the process for resolving false positives?
- Why is CISA requiring the return of completed remediation plans within three working days?
- What if there’s a valid rationale for delaying remediation?
What is the scope of BOD 19-02, and what is meant by “internet-accessible”?
The Directive applies to internet-accessible federal information systems3, which encompasses those systems directly managed by an agency as well as those operated on an agency’s behalf.
By “internet-accessible,” we mean any system that is reachable over the public internet that has a publicly routed IP address or a hostname that resolves publicly in DNS to such an address. The Directive doesn’t pertain to infrastructure that is internal to your network that enables endpoints to be accessible over the internet, systems reachable from the internet but that require special configuration or access controls (e.g. via a Virtual Private Network), or shared services used by your agency that are not specifically managed by your agency.
For example, if an agency has a critical vulnerability inside its network, BOD 19-02 doesn’t apply, as that vulnerability is not on an “internet-accessible” system. Local policy does apply, however, and we’d hope that an agency’s local policy aligns with these vulnerability remediation expectations for internet-accessible systems.
Currently, CISA’s Cyber Hygiene vulnerability scanning service is only able to accommodate systems with static, public IPv4 addresses. (“Ownership” for any given IP in Cyber Hygiene can only be tied to a single organization.) At this time, we do not perform vulnerability scans on hostnames, dynamic IPs, or IPv6 addresses.
If our internet-accessible application is only available to our agency, is that IP out of scope?
No. If a system is internet-accessible, then it must be included in the scanning scope for your agency’s Cyber Hygiene reports. The scope should include all of your static, public IPv4 addresses that are managed by or on behalf of your agency.
If access controls prevent CISA from seeing any open ports/listening services, the IP will be categorized as “dark” but reassessed every 90 days. Should you see it in Cyber Hygiene reports as responsive, that could be an indicator that some configuration has been changed.
Is shared infrastructure (e.g., FedRAMP) in scope?
BOD 19-02 doesn’t apply to third-party infrastructure, considered alone. It does apply to federal information systems that use cloud service provider infrastructure to operate an internet-accessible system.
For example, where an agency uses an infrastructure-as-a-service offering and has a static, public IPv4 address for the service it is managing, that address should be shared with CISA for Cyber Hygiene scans. While other “as-a-service” cloud computing services are implicated by the directive, they should be accounted for in agency or vendor scans (e.g., systems using FedRAMP should be scanned by the service provider).
With respect to shared routing infrastructure, the vendor managing the router is responsible for addressing vulnerabilities. Agencies need only to provide the static, public IPs managed by them or managed specifically on their behalf.
How was my agency’s scope of currently scanned systems determined?
Each agency provided CISA with its initial scope of static, public IPv4 addresses when the agency began using the Cyber Hygiene service, likely as required by BOD 15-01, which BOD 19-02 has since superseded. Since then, authorized agency POCs may have submitted change requests as your agency’s external footprint changed.
Per this Directive, Federal agencies are required to notify CISA of changes to their scope.
What types of changes to my agency’s scope do I need to report?
As your inventory of internet-accessible information systems changes, your agency’s designated technical POC – who is listed in your weekly Cyber Hygiene report – must notify firstname.lastname@example.org. This includes notifying us when public, static IPv4 addresses are newly acquired, assigned to or operated by your agency (or operated on behalf of your agency), or otherwise released/un-assigned.
The Directive requires us to ensure Cyber Hygiene scans are not blocked. What does that mean?
You should not grant any preferential treatment for Cyber Hygiene scanning by explicitly whitelisting our source IPs or opening any ports/services other than what is normally available for your systems.
CISA performs scanning and discovery from the perspective of an attacker. This perspective enables us to help gauge exposure and inform you on the urgency of response needed to counter threats and address vulnerabilities. However, because our scanning is focused on identifying exposed vulnerabilities, and in an effort to detect them quickly, we make no attempt at stealth. This means our scans may sometimes trigger alerts that an attacker using more conservative tactics might not.
So that you can distinguish Cyber Hygiene scans from random internet noise, we share a link to our source IPs in the Methodology section of your Cyber Hygiene reports. This allows you to properly triage and respond to alerts generated by your Security Information and Event Management (SIEM) application. To reduce alerts and conserve analyst resources, it may be prudent to configure your SIEM sensors to not generate alerts on traffic from our published addresses. These addresses may change without prior notice, so we recommend regular monitoring.
Should any automatic blocking of our scanning addresses occur, you must remove the block and notify email@example.com which addresses we were unable to connect to. This lets us restart scanning on those IPs.
Where can I locate Cyber Hygiene’s source IP addresses so my agency doesn’t add them to block lists?
The page containing Cyber Hygiene’s source IP addresses is included within the Methodology section of your weekly Cyber Hygiene reports. It can also be provided to your technical POC(s) upon request to firstname.lastname@example.org.
Which version of the Common Vulnerability Scoring System (CVSS) does CISA use?
Cyber Hygiene Vulnerability Scanning uses the latest available version of CVSS ratings.
While organizations move away from using the CVSS scores to prioritize their vulnerability management efforts and are adopting CISA’s catalog of Known Exploited Vulnerabilities (KEVs) as the gold standard, we understand that there is still a need to support CVSS scoring. Binding Operational Directive (BOD) 19-02, Vulnerability Remediation Requirements for Internet-Accessible Systems, requires federal civilian executive branch agencies to remediate critical and high vulnerabilities on their internet-accessible systems. Although the CVSS base scoring alone is insufficient to drive prioritization, Cyber Hygiene Vulnerability Scanning - which only identifies vulnerabilities accessible by an untrusted third party via the Internet - leverages CVSS scoring as a foundational, quantitative breakdown for determining vulnerability severity per BOD 19-02 as a compliment to the KEV catalog.
As of June 13, 2022, that means that if a Cyber Hygiene finding has a Common Vulnerabilities and Exposures (CVE) severity rating in the National Vulnerability Database (NVD), CISA will use the latest available CVSS version as follows:
- CVSSv3.1 if available
- If CVSSv3.1 is not available, then CVSSv3.0
- If neither CVSSv3.1 nor v3.0 are available, then CVSSv2.0 with the exception that base score of 10.0 will be rated as critical
Note: Cyber Hygiene will use the severity ratings listed by the scanning tools in cases where the NVD has not provided a CVE severity rating.
Agencies are encouraged to first consider whether Cyber Hygiene findings are KEVs and otherwise apply environmental scoring to their results, where capable and practical, so that the findings are more meaningful to their specific architectures, missions, and assets and can better assist in prioritizing remediation efforts.
When do the 15 and 30 day “clocks” start for remediation?
BOD 19-02 starts tracking vulnerabilities from the time of initial detection, not the time when notification is made.
To facilitate tracking, the ‘initial detection date’ of each vulnerability is included within the
findings.csv attachment under appendix G in your Cyber Hygiene reports.
Will CISA alert closer to the point of initial detection?
Yes. As of June 2019, CISA has been sending federal agencies an email alert detailing newly-detected critical and high severity vulnerabilities within 24 hours of their initial detection.
Why doesn’t the Directive prioritize which critical or high vulnerabilities are more important to remediate first?
BOD 19-02 provides a Federal cybersecurity standard in the remediation of critical and high vulnerabilities. As such, agencies are responsible for managing and prioritizing cybersecurity risk appropriately within their environments. Because CISA does not have the ability to know the particular nuances of each agency’s environmental risk factors and mitigating controls, CISA recommends configuring patch management and vulnerability management programs to exceed BOD 19-02 requirements where possible and to prioritize certain vulnerabilities and devices over others in line with each agency’s existing security baselines.
CISA encourages agencies to apply additional parameters, rules, and internal policy decision points as necessary, which may affect the acceptable timeframes to remediate specific types of vulnerabilities or vulnerabilities affecting certain types of devices. For example, agencies should consider the impact the exploitation of a vulnerability may have if an internet-accessible IP address is associated with a High Value Asset (HVA) or Mission Essential System (MES). Likewise, agencies should consider how many assets are affected by a specific vulnerability type and how long vulnerabilities have existed.
CISA continuously analyzes threat and vulnerability information as well as engages stakeholder communities to further prioritize indicators which may extend beyond internet-accessible devices and currently defined severity scores. In these instances, CISA provides alerts to stakeholders and coordinates cross-agency responses to ensure adequate steps are being taken across the Federal enterprise.
When will CISA start including high severity vulnerabilities in agencies’ reports?
In preparation for BOD 19-02, the Federal Cyber Exposure Scorecard (FCES) sent to agency leadership started showing high vulnerability counts (in addition to the already reported critical vulnerability counts) in March 2019. CISA will continue to scan for and report on vulnerabilities of all severities (from low to critical) and include this information in agencies’ weekly Cyber Hygiene reports.
I fixed a vulnerability listed in my report. Can you do an out of band scan to verify?
Cyber Hygiene scanning is persistent and will automatically rescan for previously detected vulnerabilities. Therefore, CISA does not offer out of band scans as part of the Cyber Hygiene scanning service. The frequency of scanning any given IP is based on the highest vulnerability severity level detected on it, as described within the Methodology section of your Cyber Hygiene reports. If the Cyber Hygiene scans no longer detect the vulnerability, it will be listed in Appendix B.1: Mitigated Vulnerabilities of your weekly Cyber Hygiene report.
What’s the process for resolving false positives?
To report a Cyber Hygiene-identified vulnerability as a false positive, please submit an email through your agency’s technical POC to email@example.com (and cc: firstname.lastname@example.org) with analysis and supporting evidence for determination (e.g., a screenshot of the IP address and operating system). CISA will review your submission and perform necessary analysis to validate the assertion. This will not include exploiting a vulnerability, but may include sending packets to the host in question. CISA reserves the right to assert that findings are not false positives, but if CISA’s analysis appears to confirm your agency’s assertion, the vulnerability will be marked as a false positive.
Please utilize the False Positive Assertion form attached within your Cyber Hygiene report to organize your submission. The
cyber-hygiene-false-positive-assertion-form.pdf attachment is located under Appendix G, by clicking on the paper clip icon for the file. False positive status expires 365 days after designation by CISA, and agencies are required to re-submit evidence on an annual basis to confirm the vulnerability remains a false positive. Vulnerabilities marked as ‘false positives’ will stop appearing in the main body of report for one year and will instead be reported in Appendix E: False Positive Findings, along with the expiration date of the false positive. Note: CISA acceptance of false positive assertions is not confirmation that a finding is indeed a false positive.
Why is CISA requiring the return of completed remediation plans within three working days?
CISA expects agencies to begin formulating remediation strategies well in advance of the 15 and 30 day deadlines to accelerate remediation of vulnerabilities and allow easy integration of remediation information into plans for submittal to CISA once the required timeframes for remediation are surpassed. CISA is compensating for the short turn-around time by providing a mostly pre-populated remediation plan for agency personnel to complete. Agencies only need to complete the data fields for mitigation steps, constraints, and estimated completion dates. This will ensure agencies are reporting the correct vulnerabilities within remediation plans, especially prior to changes introduced by the next week’s Cyber Hygiene reports.
What if there’s a valid rationale for delaying remediation?
Please document the justification for delayed remediation in the remediation plan provided by CISA (within the data column ‘remediation constraints’). CISA understands the distinctiveness of agency networks and the dependences involved in vulnerability remediation, and is willing to work with agencies on a case-by-case basis when remediation is not feasible within established timeframes. Within the remediation plan, please be as descriptive as possible in detailing the justification for the delay.
DHS Binding Operational Directive 15-01 was issued on May 21, 2015.
Cyber Hygiene leverages the Common Vulnerability Scoring System (CVSS), which is a vulnerability scoring system designed to provide a universally open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize vulnerability management strategies by providing a score representative of the base, temporal, and environmental properties of a vulnerability.
Which does not include statutorily defined “national security systems” nor systems operated by the Department of Defense or the Intelligency Community.