The Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget will require civilian agencies to develop vulnerability disclosure policies, allowing outside experts who have “seen something” that looks like a cyber weakness to “say something” to those who can fix it.
Under the draft binding operational directive released Wednesday, agency VDPs would make it clear that “an agency welcomes and authorizes good-faith security research on specific, internet-accessible systems,” CISA Assistant Director for Cybersecurity Jeanette Manfra wrote in a blog post.
Meanwhile, OMB will meet with executives from the Department of Homeland Security, the General Services Administration, the Commerce Department and other agencies to work on implementation strategies, as well as the benefits of leveraging bug bounty programs. Those agencies will then submit those recommendations to the Federal Chief Information Security Officers Council.
In a memo from the Office of the Federal Chief Information Officer Suzette Kent, vulnerability disclosure policies (VDPs) not only serve as an effective means for threat disclosure, they also provide legal cover for those who come forward with that threat information, “by differentiating between acceptable and unacceptable means of gathering security.”
In the draft BOD, CISA Director Chris Krebs wrote that most federal agencies don’t have a formal procedure set up that allows outside experts to warn agencies about potential security vulnerabilities on their systems, nor do they have a strategy for how to implement these recommendations.
“Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith are authorized,” Krebs wrote. “These circumstances create an environment that delays or discourages the public from reporting potential information security problems to the government, which can prevent these issues from being discovered and fixed before they are exploited or publicly disclosed.”
The draft BOD doesn’t establish a governmentwide bug bounty, but nothing prevents agencies that don’t already have such a program from setting one up.
The Defense Department and military branches have launched bug bounty programs over the past few years, which pay cyber researchers and white-hat hackers for disclosing vulnerabilities in public-facing systems.
Civilian agencies have seen a slower rollout. The General Services Administration launched its own bug bounty program in 2017, and members of Congress have tried to get other agencies into the practice.
The directive also doesn’t create a national VDP program, but instead requires civilian agencies to develop their own individual policies. Manfra said that distinction might appear nuanced at first, but actually makes a significant difference in practice.
“Why isn’t this a national VDP? We think a single, universal vulnerability disclosure policy for the executive branch is a good goal. It makes sense particularly when each agency has all internet-accessible systems in scope, but we expect that goal to be an unrealistic starting place for most agencies,” Manfra wrote. “Instead, the directive supports a phased approach to widening scope, allowing each enterprise — comprised of the humans and their organizational tools, norms, and culture — to level up incrementally.”
The memo requires agencies to include in the scope of their VDPs systems that have been stood up after the release of those policies. CISA will also require agencies to add one new system to the scope of their VDPs every 90 days until “everything is included.”
Within two years of the directive, all agency internet-accessible systems must be in the scope of their VDPs.
Unlike previous directives, CISA has released the draft BOD for public comment and will fold that feedback into the final draft. CISA and OMB will accept public comments through Dec. 27.
Marten Mickos, the CEO of security provider HackerOne, said he applauded the draft BOD, which he said would set standards for inviting ethical hackers to look for vulnerabilities in agency systems on an ongoing basis.
“Every organization, especially those protecting sensitive information, should have a public-facing way to report security vulnerabilities,” Mickos wrote in an email. “As a society, we must agree and mandate that anyone providing a digital product or service must have a proper way of receiving bug reports and fixing the problems.”