Federal security regulators are weighing a requirement for major cloud vendors to address critical cybersecurity vulnerabilities in just three days—ten times faster than current FedRAMP guidelines.
The updated compliance rules would apply to software vendors in the Federal Risk and Authorization Management Program (FedRAMP), the government’s system for setting a security baseline for any cloud services. The speedier remediation timeline reflects a shifting threat landscape that’s seeing autonomous AI adversaries pounce on high-impact vulnerabilities right away and at scale.
Three days to remediate a critical vulnerability is really fast and would put enormous pressure on security teams. Maybe that’s why the current compliance proposal is couched in “should”:
“Providers SHOULD fully mitigate or remediate credibly exploitable vulnerabilities in internet-reachable resources promptly, within three calendar days of detection,” FedRAMP says in its request for comment on the new vulnerability rules.
Companies meeting the FedRAMP High security level—the program’s most stringent clearance, with hundreds of exacting security controls—are already expected to fix critical vulnerabilities in 30 days. With this update, any FedRAMP authorized organization would have just 72 hours to tend to these vulns. The changes would apply to the “FedRAMP 20x” makeover of the flagship security program, an effort aimed at streamlining the FedRAMP process.
Why the rush? Are FedRAMP program managers just trying to prevent security leaders from enjoying three-day weekends?
Agentic AI pressure on FedRAMP environments
If anything, the new guidance isn’t pushing software vendors to fix critical flaws quickly enough. That’s because AI technology is empowering adversaries to slash the time it takes them to exploit software bugs.
Gone are the days when defenders could “safely” sit on a critical software flaw for weeks without fixing it. This was never a security best practice, of course—allowing critical, exploitable vulnerabilities to linger unpatched in your enterprise environment is the digital equivalent of leaving your home front door unlocked and hoping you don’t get burgled. Sure, someone may not go around trying doorknobs every day, but is that a risk you’re willing to accept?
Generative AI tools are allowing attackers to try every doorknob out there, day and night. The gap between a zero-day landing publicly and real-world exploitation of that vulnerability was shrinking from weeks to days before agentic AI technology entered the mix. As Mandiant reports, this “time-to-exploit” (TTE) metric has dropped precipitously from 63 days in 2018 to just five days in 2023. By next year, we could be looking at real-world exploits dropping within hours of vulnerability details landing on the open internet.
Back to that three-day FedRAMP deadline: the cloud security program’s managers have clearly caught onto these vulnerability trends. The new standard’s goal “is to ensure providers promptly detect and respond to critical vulnerabilities by considering the entire context over Common Vulnerability Scoring System (CVSS) risk scores alone, prioritizing realistically exploitable weaknesses, and encouraging automated vulnerability management.”
FedRAMP has noted its proposed rules are still subject to change based on industry feedback. But regardless of what happens after comments are due Aug. 21, the writing is already on the wall. Time to exploit is accelerating. Defenders need to hurry up.
Synack can help. In the first year of using Synack’s FedRAMP Moderate Authorized penetration testing as as a service platform (PTaaS), customers reduced their average time to remediate critical vulnerabilities by 50%. To learn more about how Synack PTaaS can help your organization navigate the new FedRAMP environment, schedule a demo.
Allison Williams is vice president, public sector at Synack.
