Administration moving forward with vulnerability disclosure policies
- By Derek B. Johnson
- Sep 03, 2020
The Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency have issued guidance to federal agencies on how to set up vulnerability research and disclosure programs that allow security researchers to safely and legally report vulnerabilities they find on federal IT systems.
"This directive is different from others we've issued, which have tended to be more technical – technological – in nature," CISA Assistant Director Bryan Ware explained on the agency's blog.
"At its core, [this directive] is about people and how they work together. That might seem like odd fodder for a cybersecurity directive, but it's not. Cybersecurity is really more about people than it is about computers, and understanding the human element is key to defending today and securing tomorrow."
The CISA directive gives agencies 30 days to establish a contact for each registered .gov domain so researchers who find problems can easily report them. Within six months, agencies must publish their own vulnerability disclosure policy outlining the scope of covered systems, how outside security researchers can submit reports, expectations for how and when the agency will respond and a clear commitment that they will not recommend or pursue legal action against anyone making a good faith effort to follow the rules. They cannot require personally identifiable information from researchers, must allow for anonymous submissions and must not restrict the ability of researchers to disclose vulnerabilities to others outside of requesting a "reasonably time-limited response period."
After nine months, agencies must start adding at least one internet-accessible system or service to the list of eligible programs, and within two years, all such systems must be covered under the program. CISA will also set up a new vulnerability disclosure platform service next spring.
The OMB memorandum specifies that agency programs should be closely aligned with both current federal laws as well as international standards, such as those set out by the International Organization for Standardization or the International Electrotechnical Commission.
While bug bounties can be useful, OMB warns that individual agencies must "carefully weigh the cost, organizational competence and maturity required for a strong and sustainable program."
Vulnerability disclosure programs "empower agencies to crowdsource vulnerability discovery and thereby realize extraordinary return on investment," Acting Deputy Director for Management Michael Rigas said in a statement." This is part of an ongoing effort to improve our cyber defenses and to improve government transparency, while adopting industry-tested and cost-effective measure to improve federal information security programs."
The OMB press release also said it is already working with CISA and others to establish their programs and "expand their scope in a responsible manner."
"Cybersecurity researchers perform an enormous public service by volunteering their time to find and report problems that threaten Americans' security and privacy," Sen. Ron Wyden (D-Ore.) said in a statement. "The government should be rolling out the red carpet to them. CISA deserves praise for this effort to repair the damage done over the years by government agencies harassing and prosecuting cybersecurity researchers."
This article was first posted on FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.