New 12-hour vulnerability fix mandate poses challenge for Uttarakhand departments
Govt departments in Uttarakhand may face a tougher compliance test under the Centre’s new 12-hour vulnerability-fix mandate, officials at the Information Technology Development Agency (ITDA) said. Last month, the Ministry of Electronics and Information Technology (MeitY) directed govt agencies to patch known cybersecurity vulnerabilities within 12 hours of detection.
ITDA officials said many departments were already struggling to address vulnerabilities within prescribed timelines, largely because they rely on third-party vendors to maintain applications or lack adequate technical manpower. The challenge assumes significance as some portals and applications hosted at the State Data Centre (SDC) have been temporarily taken offline over the past year after security flaws remained unaddressed.
State Data Centre hosts nearly 200 portals, including those of CM office and police
The SDC hosts nearly 200 portals and applications, including those linked to the chief minister’s office, Raj Bhavan, transport and police departments. According to ITDA officials, the shutdowns were precautionary measures taken after departments failed to address vulnerabilities flagged during periodic security audits.
“An internal cybersecurity team audits all applications hosted at the data centre every three months and shares vulnerability reports with the departments concerned, asking them to fix the issues based on their severity. Almost 10% of the portals audited receive communications seeking explanations or directing departments to address vulnerabilities after every audit. Portals that fail to respond or rectify critical vulnerabilities despite repeated communication are shut down as a precautionary measure,” said Ashish Upadhyay, deputy general manager (cybersecurity), ITDA.
Departments often outsource applications, lack ownership
Upadhyay said the agency frequently encounters cases where departments do not take ownership of applications or continue hosting portals that are no longer in use. “Some applications lie dormant. They were once in use but are no longer required, yet they continue to be hosted at the State Data Centre,” he said.
To improve coordination, ITDA has appointed cyber nodal officers in every department. However, officials said several departments continue to face difficulties in meeting compliance timelines. “In many cases, departments are not the creators of the applications concerned. They have outsourced them to third parties. In some cases, they do not have enough technical manpower,” Upadhyay said.
Applications taken offline if vulnerabilities not fixed within threshold
Applications that remain vulnerable beyond the prescribed remediation period are temporarily taken offline to prevent risks to other portals hosted at the State Data Centre. “When the threshold period is over, we have to take the application down. The moment they patch it, we put it back online,” he said.
