The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued the binding operational directive (BOD) 19-02 which requires federal agencies to remediate critical security vulnerabilities within 15 days since the initial detection.
As explained by CISA, “A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.”
According to the federal agency responsibilities presented within the Code of Laws of the United States of America (U.S. Code), the agencies are required to adhere to DHS-developed directives.