DHS issued May directive to quickly patch federal systems

DHS issued May directive to quickly patch federal systems

The Department of Homeland Security (DHS) issued a first-of-its-kind emergency directive in May, requiring all federal agencies to patch critical network vulnerabilities within 30 days, Federal News Radio reported Monday.

The alert came weeks after the DHS discovered hackers had made off with millions of federal workers’ records. It also came after the agencies connected a string of at least nine cyberattacks on industry and government over the past year.

“The cyber threat actors involved in each of these incidents demonstrated a well-planned attack and high level of sophistication,” said the DHS report.

Noticing the pattern, the DHS issued on May 21 a “Binding Operational Directive” (BOD), a new authority granted under a bill passed during Congress’s lame-duck session last year.

The directive requires all agencies to fix their most critical vulnerabilities in Internet-facing systems within 30 days. If they are unable to do that, they have to go to the DHS for help.


The Office of Personnel Management (OPM) revealed last week that Chinese hackers had made off with 4 million workers’ records.

According to the DHS May alert, the OPM hack was just one in a series of nine connected attacks.

Many of those are likely high-profile breaches that have already been made public.

It’s thought Beijing-backed hackers are behind a number of attacks across the public and private sector, with an ultimate goal to help build up China’s database on federal workers.

Chinese cyber warriors are suspected in breaches of three health insurers earlier this year — Anthem, Premera Blue Cross and CareFirst. Together, the digital assaults exposed more than 90 million people’s data.

Beijing is also thought to have orchestrated the November cyberattack on the U.S. Postal Service (USPS) that laid bare 800,000 federal workers’ data.

Two major government contractors conducting background checks for the federal government — USIS and KeyPoint Government Solutions — were also hit last fall, compromising more than 75,000 federal employees’ information.