The Department of Homeland Security’s new Binding Operational Directive 19-02 accelerates the patching schedule for government agencies from 30 to 15 days for a critical security flaw—and meeting that short time frame will expose “some basic limitations in the way the federal frameworks address cyber risk,” writes Jack Freund, RiskLens Risk Science Director, in an article just out on Homeland Security Today.
Jack applauds DHS for looking to shorten the “window of vulnerability” (WOV) for zero-day exploits. But here’s the flaw he sees: The directive perpetuates the use of the Common Vulnerability Scoring System (CVSS) framework to determine vulnerability criticality.
The CVSS can’t help government agencies put a risk rating on their IT assets or factor in the costs of additional security investments to comply with the directive—critical capabilities for agencies to meet the directive’s speeded-up challenge. Only a cyber risk quantification (CRQ) model can give that kind of guidance, Jack writes. He goes on to give some tips to federal cybersecurity officials on how to apply cyber risk quantification to government.
Read RiskLens Risk Science Director Jack Freund’s article: HSTRisk: Addressing Cyber Risk Under the New DHS Directive.