CISA to Improve Vulnerability Disclosure Practices

November 29, 2019

The Cybersecurity and Infrastructure Security Agency (CISA) issued a draft binding operational directive, BOD 20-01, which will require federal civilian executive branch agencies to publish a vulnerability disclosure policy (VDP).

"A VDP allows people who have “seen something” to “say something” to those who can fix it. It makes clear that an agency welcomes and authorizes good faith security research on specific, internet-accessible systems," CISA says. In preparing the directive, CISA worked with several agencies that have VDPs and made an effort to align the directive with federal guidance, international standard and good practices.

"But this directive is slightly different from others we’ve issued, where agencies are directed to take an action and then CISA verifies the action has taken place. Here, while agencies must maintain VDPs and are the beneficiaries of vulnerability reports, it’s the public that will provide those reports and will be the true beneficiaries of vulnerability remediation," says CISA. They are also seeking public feedback before issuance.

CISA notes the VDP initiative:

Lights a fire. Each agency must publish a VDP and maintain handling procedures, and the directive outlines a set of required elements for both.
Draws a line in the sand. Systems “born” after publication of a VDP must be included in scope of an agency’s VDP.
Expands the circle. Until everything is included, at least one new system or service must be added every 90 days to the scope of an agency’s VDP.
Starts the clock. There’s an upper bound – 2 years from issuance, in this draft – for when all internet-accessible systems must be in scope.
All are welcome. Anyone that finds a problem must be able to report it to an agency.
No “catch and keep”. An agency may only request a reasonably time-limited restriction against outside disclosure to comply with their VDP.
Defense, not offense. Submissions are for defensive purposes; they don’t go to the Vulnerabilities Equities Process.

What doesn’t it do?

Does not establish a ”federal bug bounty”. A bug bounty is a program that pays researchers for valid and impactful findings. Nothing in the directive prevents individual agencies from establishing a bug bounty of their own, though.
Does not create a “national VDP”. The directive is an executive branch policy instruction that requires federal civilian executive branch agencies to have a VDP. The difference might appear slight but they’re very different things.

CISA wants to hear from people with personal or institutional expertise in vulnerability disclosure and from organizations that have a VDP and manage coordinated vulnerability disclosures. They welcome any feedback and perspective on all these documents, as well as any comments on the approach. The public comment will take place on GitHub and last until December 27th, 11:59pm EST.

How can you advance your career in the security industry with the skills and competencies necessary to benefit your organization? What will the security executive and the security function of the future look like? Join us as we hear from veterans in the security industry about their experiences, their lessons learned, and best practices for advancing their careers.

Security measures today tend to focus on controlling access, albeit with limitations. Many organizations, for example, know how many people have entered a secure location, but not how many have left.

CISA to Improve Vulnerability Disclosure Practices

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

CISA to Improve Vulnerability Disclosure Practices

Related Articles

Related Events

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.