Cybersecurity

House passes vulnerability disclosure oversight bill

 

The House of Representatives passed a bill requiring the Department of Homeland Security to inform Congress about how it makes vulnerability disclosure decisions.

The bill, introduced by Rep. Sheila Jackson Lee (D-Texas), seeks to provide Congress with more clarity surrounding the policies and processes used in the vulnerabilities equities process, the executive decision-making that determines whether to disclose a bug to software companies so it can be remediated or to retain it for use in secret espionage.

The bill passed the House by voice vote Jan. 9.

Specifically, the bill would mandate DHS submit a report on cyber vulnerability disclosures to the House Homeland Security Committee and the Senate Homeland Security and Government Affairs Committee.

The report would include -- "to the extent possible" -- which policies and procedures were used to disclose cyber vulnerabilities, as well as the ways in which industry and other beneficiaries acted upon the information provided. The report could also detail how DHS is working across government to protect critical infrastructure and to prevent, detect and mitigate cyber vulnerabilities.

Since the bill's introduction in July 2017, the White House publicly released its bug disclosure policy, revealing some of the considerations taken into account and which agencies are involved in the decision to inform industry about cyber bugs.

White House Cybersecurity Coordinator Rob Joyce has said that government, the world's largest purchaser of malware and software vulnerabilities, ends up disclosing about 90 percent of known vulnerabilities.

Representatives from the Departments of Justice, State, Homeland Security, Energy, Defense, Commerce and Treasury, along with the Office of Management and Budget, CIA, NSA and FBI, are involved in this decision-making. The process is overseen by the White House.

The process of deciding whether to share known vulnerabilities has been of bipartisan interest to Congress for some time. In May, members of the House and Senate from both sides of the aisle introduced a bill that would codify the vulnerabilities equities process board and criteria for releasing vulnerability information.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter

Featured

  • Management
    people standing on keyboard (Who is Danny/Shutterstock.com)

    OPM-GSA merger plan detailed in legislative proposal

    The White House is proposing legislation for a dramatic overhaul of human resources inside government and wants $50 million to execute the plan.

  • Cloud
    cloud applications (chanpipat/Shutterstock.com)

    GSA plans civilian DEOS counterpart

    GSA is developing a cloud email and enterprise services contract inspired by the single-source vehicle the Department of Defense devised for back-office software.

  • Defense
    software (whiteMocca/Shutterstock.com)

    DOD looks to unify software spending for 2020

    Defense Department acquisition head, Ellen Lord, hopes to simplify software buying and improve business systems following the release of the Defense Innovation Board's final software acquisition study.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.