The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has drafted a directive that would require government agencies to develop and publish a cyber vulnerability disclosure policy (VDP).
The order applies to all federal executive branch departments and agencies except for the Department of Defense, Central Intelligence Agency and the Office of the Director of National Intelligence. CISA is asking for public comment on the initiative, the first time the agency has requested public feedback ahead of issuing a directive. Should the order advance, agencies will have 180 days to publish their vulnerability disclosure policies.
“A vulnerability disclosure policy facilitates an agency’s awareness of otherwise unknown vulnerabilities,” CISA wrote in the order. “It commits the agency to authorize good faith security research and respond to vulnerability reports, and sets expectations for reporters.” The document bears CISA director Christopher Krebs name on it.
Most federal agencies don’t have a formal way for third parties to point out security flaws in their systems or procedures to handle such information, the document reads. Right now, only a handful of agencies accept security input from outsiders. “These circumstances create an environment that delays or discourages the public from reporting potential information security problems to the government, which can prevent these issues from being discovered and fixed before they are exploited or publicly disclosed,” the order said.
A VDP is designed to help people who have “seen something to say something to those who can fix it,” wrote Jeanette Manfra, CISA assistant director for cybersecurity, in a blog post. “It makes clear that an agency welcomes and authorizes good faith security research on specific, internet-accessible systems,” she said.
CISA will accept public comments from the public until December 27, 2019. “We want to hear from people with personal or institutional expertise in vulnerability disclosure,” Manfra said. “In seeking public comment, we’re also nodding to the fact that, to our knowledge, a requirement for individual enterprises to maintain a vulnerability disclosure policy has never been done before, and certainly not on this scale,” she said.
Manfra touched on why CISA’s directive isn’t a mandate for a national, or universal VDP. Basically, CISA thinks it’s a good goal but an “unrealistic starting place” for most agencies. “Instead, the directive supports a phased approach to widening scope, allowing each enterprise – comprised of the humans and their organizational tools, norms, and culture – to level up incrementally,” she wrote.
The cyber agency also clarified what the directive does and doesn’t do.
Here's what it does:
- Lights a fire. Each agency must publish a VDP and maintain handling procedures, and the directive outlines a set of required elements for both.
- Draws a line in the sand. Systems “born” after publication of a VDP must be included in scope of an agency’s VDP.
- Expands the circle. Until everything is included, at least one new system or service must be added every 90 days to the scope of an agency’s VDP.
- Starts the clock. There’s an upper bound – 2 years from issuance, in this draft – for when all internet-accessible systems must be in scope.
- All are welcome. Anyone that finds a problem must be able to report it to an agency.
- No “catch and keep”. An agency may only request a reasonably time-limited restriction against outside disclosure to comply with their VDP.
- Defense, not offense. Submissions are for defensive purposes; they don’t go to the Vulnerabilities Equities Process.
Here’s what it doesn’t do:
- Does not establish a ”federal bug bounty”. A bug bounty is a program that pays researchers for valid and impactful findings. Nothing in the directive prevents individual agencies from establishing a bug bounty of their own.
- Does not create a “national VDP”. The directive is an executive branch policy instruction that requires federal civilian executive branch agencies to have a VDP. The difference might appear slight but they’re very different things.