India Mandates 12-Hour Security Patching
TL;DR: India's CERT-In has issued a new guideline for organizations. They must now patch critical vulnerabilities in internet-facing systems within 12 hours of notification, where feasible. This rapid response is required to counter threats from attackers using AI tools to automate and accelerate their attacks.
Key facts
- Category
- Cybersecurity
- Impact
- Critical
- Published
- Source
- The Hacker News
Full summary
India's cybersecurity agency now requires organizations to patch critical internet-facing vulnerabilities within 12 hours of being flagged, where feasible.
India's Computer Emergency Response Team (CERT-In) has introduced a significant new guideline for organizations. The directive mandates that critical security vulnerabilities in internet-facing systems must be patched within 12 hours of being flagged. This requirement applies "where feasible," offering some operational flexibility for complex scenarios. The new policy represents a major shift towards a more aggressive and proactive national security posture, aiming to drastically shorten the time that critical infrastructure and corporate systems remain exposed to known threats. It underscores the growing urgency among cybersecurity agencies to counter increasingly sophisticated and rapid cyberattacks.
The primary motivation for this accelerated timeline is the rise of AI-assisted attacks. CERT-In highlights that malicious actors are increasingly using artificial intelligence and large language models (LLMs) to automate the discovery and exploitation of software flaws. These tools enable attackers to scan for vulnerable systems and launch attacks at a scale and speed previously unseen, creating a much smaller window for defenders to react. The 12-hour mandate is a direct attempt to outpace these automated threats. For businesses, this means IT and security teams must re-evaluate their incident response and patch management protocols to ensure they can meet the demanding deadline. Compliance will require highly efficient testing and deployment processes.
Why it matters
This mandate sets a new, aggressive standard for patch management, forcing companies to adapt their security operations to counter faster, AI-driven attacks.
Business impact
Companies operating in India must overhaul their patch management and incident response plans to comply with the 12-hour deadline. Failure to do so increases compliance risk and exposure to rapid, automated cyberattacks, potentially leading to significant operational disruption and data breaches.
⚡ Action needed
Organizations with internet-facing systems in India must review and update their security policies and patch management procedures to comply with the new 12-hour mandate.
Action checklist
- 1Review CERT-In's new guidelines to understand the full scope.
- 2Assess your current patch management process and identify bottlenecks.
- 3Update your incident response plan to accommodate the 12-hour timeline.
- 4Implement automation for vulnerability scanning and patch deployment where possible.
- 5Ensure you have 24/7 monitoring and response capabilities for critical alerts.
Tags
Related on Notifire
Related stories
Primary source: The Hacker News