The Indian Computer Emergency Response Team (CERT-In) has released a comprehensive 38-page cybersecurity blueprint introducing new security standards for organizations operating in India.
Under the new guidelines, organizations are directed to patch known, actively exploited security flaws on internet-facing systems within 12 hours of discovery wherever feasible.
This major policy update addresses the growing use of automated Artificial Intelligence (AI) tools by bad actors, which has significantly accelerated the speed and execution of digital network attacks.
Key Points: What You Need to Know
- The 12-Hour Priority: Organizations must remediate or safely isolate known exploited vulnerabilities (KEVs) affecting internet-exposed and critical business applications within a 12-hour window.
- Risk-Based Tiered Timelines: For other vulnerabilities, CERT-In has outlined a tiered schedule based on risk priority:
- Critical external flaws: Fix within 1 day.
- Critical internal vulnerabilities (high-value systems): Fix within 3 days.
- High-severity issues: Fix within 5 days.
- The AI Shift: CERT-In notes that AI-assisted cyber operations allow adversaries to rapidly discover, weaponize, and exploit weaknesses in APIs, cloud platforms, and software supply chains, sharply compressing the time available for defenders to respond.
- Temporary Safeguards: If an official software patch is not immediately available, organizations are advised to apply interim safety measures. These include system isolation, strict access restrictions, deploying Web Application Firewalls (WAF), or temporarily disabling the vulnerable feature.
- 6-Hour Reporting Baseline: The advisory reinforces the standing 2022 mandate requiring all cybersecurity incidents to be officially reported to CERT-In within 6 hours of discovery.
A Step-by-Step Security Blueprint
CERT-In recommends that organizations adopt these guidelines using a phased 3-stage approach to avoid disrupting internal operations:
Frequently Asked Questions (FAQs)
Q1: What is CERT-In?
A: CERT-In stands for the Indian Computer Emergency Response Team. It is the national nodal agency responsible for handling cybersecurity threats, analyzing security flaws, and issuing emergency advisories to protect India’s digital infrastructure.
Q2: Why did CERT-In reduce the patching window to 12 hours?
A: Automated AI technologies now allow malicious actors to scan networks and build functional exploits much faster than before. By establishing an aggressive 12-hour guideline for critical, internet-facing assets, the agency aims to close the exposure window before automated tools can locate the flaw.
Q3: What should an organization do if a software patch isn’t available yet?
A: When a permanent patch is delayed, CERT-In advises implementing temporary mitigations to lower risk. This includes placing the vulnerable system behind a Web Application Firewall (WAF), restricting user access, or isolating the affected segment from the public internet.
Q4: Does this apply to all digital assets?
A: The 12-hour expectation specifically targets high-priority, internet-facing systems, core business applications, and critical infrastructure. Internal or lower-severity systems follow a tiered schedule ranging from 1 to 5 days.
