The Department of Homeland Security’s cyber agency is issuing a draft directive that would require individual federal agencies to establish vulnerability disclosure programs.
The Cybersecurity and Infrastructure Security Agency released a draft binding operational directive Nov. 27 for comment that would mandate that federal agencies better their cybersecurity through VDPs, in which security researchers can report vulnerabilities in federal government websites.
In a blog post, CISA’s Assistant Director of Cybersecurity Jeanette Manfra said that this is the first time CISA has sought public feedback on a directive.
“This directive is slightly different from others we’ve issued, where agencies are directed to take an action and then CISA verifies the action has taken place,” wrote Manfra, who is leaving for the private sector in the new year. “Here, while agencies must maintain VDPs and are the beneficiaries of vulnerability reports, it’s the public that will provide those reports and will be the true beneficiaries of vulnerability remediation.”
The draft directive was published in tandem with a notice in the Federal Register from the Office of Management and Budget requesting comment on a draft memorandum, titled "Improving Vulnerability Identification, Management, and Remediation.”
VDPs “are among the most effective methods for obtaining new insights regarding security vulnerability information,” OMB wrote in the notice. “They also provide protection for those who uncover these vulnerabilities by differentiating between acceptable and unacceptable means of gathering security information.”
The comment period will be open for 30 days.
The draft directive was applauded by security research companies. Marten Mickos, CEO of HackerOne, which runs vulnerability disclosure programs, said that there were “hundreds of thousands” of security researchers waiting to help federal agencies. Leaders at companies that run VDPs have long said the government needed to take this step.
“By taking this action, the federal government is putting the U.S. among the leading nations when it comes to cybersecurity of government systems," Mickos said. "DHS and the Office of Management and Budget are setting this standard by inviting ethical hackers to look for vulnerabilities in their systems on an ongoing basis.”
Binding operational directives are one of few means CISA has to actually mandate organizations take actions — many of its programs rely largely on voluntary participation. If this draft directive was implemented, agency systems developed after the agency VDP is established must be “in scope” of the the program, meaning that security researchers must be allowed to probe for and submit vulnerabilities. Agencies would also have to add a new system to the program every 90 days until all of its internet-accessible programs are included, and all systems must be included after two years.
Manfra also emphasized that CISA was not mandating a bug bounty program, in which security researchers get paid for their findings.
The public comment period will last until Dec. 27 and can be accessed on CISA’s GitHub page.