{"id":30203,"date":"2026-06-18T14:42:27","date_gmt":"2026-06-18T18:42:27","guid":{"rendered":"https:\/\/michigan.it.umich.edu\/news\/?p=30203"},"modified":"2026-06-18T14:42:28","modified_gmt":"2026-06-18T18:42:28","slug":"upcoming-vulnerability-management-ds-21-changes","status":"publish","type":"post","link":"https:\/\/michigan.it.umich.edu\/news\/2026\/06\/18\/upcoming-vulnerability-management-ds-21-changes\/","title":{"rendered":"Upcoming Vulnerability Management (DS-21) Changes"},"content":{"rendered":"\n<div class=\"wp-block-uagb-image uagb-block-84136525 wp-block-uagb-image--layout-default wp-block-uagb-image--effect-static wp-block-uagb-image--align-none\"><figure class=\"wp-block-uagb-image__figure\"><img decoding=\"async\" srcset=\"https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2026\/06\/SCN_Spring26_vulnerability_management-Andrew-Durand.png ,https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2026\/06\/SCN_Spring26_vulnerability_management-Andrew-Durand.png 780w, https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2026\/06\/SCN_Spring26_vulnerability_management-Andrew-Durand.png 360w\" sizes=\"auto, (max-width: 480px) 150px\" src=\"https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2026\/06\/SCN_Spring26_vulnerability_management-Andrew-Durand.png\" alt=\"A blue keyboard button with the words vulnerability management.\" class=\"uag-image-30206\" width=\"327\" height=\"180\" title=\"SCN_Spring26_vulnerability_management - Andrew Durand\" loading=\"lazy\" role=\"img\"\/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Artificial Intelligence is rapidly changing the sphere of cybersecurity threats to IT infrastructures. The number of attacks targeting the university is increasing, while the time between identification and exploitation is decreasing. ITS Information Assurance (IA) is cognizant of the shifting threat landscape and is\u00a0<a href=\"https:\/\/it.umich.edu\/information-technology-policies\/policies-under-review\" target=\"_blank\" rel=\"noreferrer noopener\">finalizing updates to the Vulnerability Management (DS-21) standard<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Vulnerability management is a critical component of the university\u2019s information security program and is essential to protecting U-M data and systems and reducing financial, reputational, and regulatory risks. To manage vulnerabilities in an effective and timely manner, IA works in close partnership with units. The DS-21 standard establishes compliance requirements for this important work.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">New Enrollment Requirement and Exception Process<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A notable change to the standard is the requirement for \u201call university-owned systems, regardless of location and the sensitivity level of institutional and research data they create, process, maintain, transmit, or store\u201d to enroll in the enterprise vulnerability management system (Tenable). The standard introduces a process by which units can request exceptions for systems with conflicts that prevent the installation of Tenable.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Changes to Prioritization and Remediation Guidelines<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Previously, there were two priority levels, Critical and High, with timeframes for resolution of 1 month and 3 months, respectively. A new priority level, Urgent, has been added, with a 2-week resolution timeframe. The updated severity levels and remediation timeframes are informed by multiple considerations, including threat level, exposure, asset criticality, and compensating controls. This updated framework, supported by Tenable reporting, will enable unit staff to better focus their remediation efforts.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Clarification of Roles and Responsibilities<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The revision simplifies and clarifies roles and responsibilities for IA and IT staff and introduces a set of responsibilities for end users around keeping devices up-to-date on security safeguard. A draft of the revision is available for review on the\u00a0<a href=\"https:\/\/it.umich.edu\/information-technology-policies\/policies-under-review\" target=\"_blank\" rel=\"noreferrer noopener\">VPIT-CIO website<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Artificial Intelligence is rapidly changing the sphere of cybersecurity threats to IT infrastructures. The number of attacks targeting the university is increasing, while the time between identification and exploitation is decreasing. ITS Information Assurance (IA) is cognizant of the shifting threat landscape and is\u00a0finalizing updates to the Vulnerability Management (DS-21) standard. Vulnerability management is a critical component of\u2026 <span class=\"read-more\"><a href=\"https:\/\/michigan.it.umich.edu\/news\/2026\/06\/18\/upcoming-vulnerability-management-ds-21-changes\/\">Read More &raquo;<\/a><\/span><\/p>\n","protected":false},"author":216,"featured_media":30206,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","_umich_oidc_access":"","_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_ef_editorial_meta_date_first-draft-date":"","_ef_editorial_meta_paragraph_assignment":"","_ef_editorial_meta_checkbox_needs-photo":"","_ef_editorial_meta_number_word-count":"","footnotes":""},"categories":[27],"tags":[61,942,26],"class_list":["post-30203","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-safe-computing","tag-ai","tag-artificial-intelligence","tag-training"],"uagb_featured_image_src":{"full":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2026\/06\/SCN_Spring26_vulnerability_management-Andrew-Durand.png",240,132,false],"thumbnail":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2026\/06\/SCN_Spring26_vulnerability_management-Andrew-Durand.png",240,132,false],"medium":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2026\/06\/SCN_Spring26_vulnerability_management-Andrew-Durand.png",240,132,false],"medium_large":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2026\/06\/SCN_Spring26_vulnerability_management-Andrew-Durand.png",240,132,false],"large":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2026\/06\/SCN_Spring26_vulnerability_management-Andrew-Durand.png",240,132,false],"1536x1536":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2026\/06\/SCN_Spring26_vulnerability_management-Andrew-Durand.png",240,132,false],"2048x2048":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2026\/06\/SCN_Spring26_vulnerability_management-Andrew-Durand.png",240,132,false],"excerpt-thumbnail":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2026\/06\/SCN_Spring26_vulnerability_management-Andrew-Durand-200x132.png",200,132,true],"themonic-thumbnail":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2026\/06\/SCN_Spring26_vulnerability_management-Andrew-Durand-60x42.png",60,42,true],"ioslider-thumbnail":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2026\/06\/SCN_Spring26_vulnerability_management-Andrew-Durand.png",240,132,false],"post-thumbnail":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2026\/06\/SCN_Spring26_vulnerability_management-Andrew-Durand.png",240,132,false],"400x250-crop":["https:\/\/michigan.it.umich.edu\/news\/wp-content\/uploads\/2026\/06\/SCN_Spring26_vulnerability_management-Andrew-Durand.png",240,132,false]},"uagb_author_info":{"display_name":"Andrew Durand, ITS Information Assurance","author_link":"https:\/\/michigan.it.umich.edu\/news\/author\/adurand\/"},"uagb_comment_info":0,"uagb_excerpt":"Artificial Intelligence is rapidly changing the sphere of cybersecurity threats to IT infrastructures. The number of attacks targeting the university is increasing, while the time between identification and exploitation is decreasing. ITS Information Assurance (IA) is cognizant of the shifting threat landscape and is\u00a0finalizing updates to the Vulnerability Management (DS-21) standard. Vulnerability management is a&hellip;","_links":{"self":[{"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/posts\/30203","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/users\/216"}],"replies":[{"embeddable":true,"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/comments?post=30203"}],"version-history":[{"count":2,"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/posts\/30203\/revisions"}],"predecessor-version":[{"id":30208,"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/posts\/30203\/revisions\/30208"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/media\/30206"}],"wp:attachment":[{"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/media?parent=30203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/categories?post=30203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michigan.it.umich.edu\/news\/wp-json\/wp\/v2\/tags?post=30203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}