CISA bug bounty directive awaits White House blessing

The Cybersecurity and Infrastructure Security Agency has completed the final version of a draft Binding Operational Directive instructing agencies to create vulnerability disclosure programs that allow third-party bug hunters to flag security vulnerabilities in federal systems.

Multiple sources, including a CISA official, confirmed to FCW on background that agency leaders have submitted the directive to the Office of Management and Budget, where it has been awaiting approval from Director Russ Vought.

A request for comment to OMB, along with questions about timeline for releasing the memo or BOD, was not immediately returned. A CISA spokesperson said the agency does not have a timeline available for releasing the finalized directive.

The draft version released in November 2019 would give agencies 15 business days to publicly list ways for security researchers to contact them about bugs. Within six months, they must establish a formal vulnerability disclosure policy outlining what systems are in scope, authorized methods of testing and expectations around transparency and legal liability. Within two years of the BOD's official release, all internet-facing systems must be covered under an agency's program.

FCW has not seen the finalized BOD, but several sources indicated the delay at OMB doesn't appear to be related to any major substantive disagreement with CISA over language, and they expect the final version to closely resemble the draft document released in 2019.

In December 2019, FCW reported on feedback the draft directive received from security researchers and the public, including concerns that language around the legal safe harbor provided to researchers by the government needed more clarification. However, none of the sources indicated that has played a factor in the delay.

Rep. Jim Langevin (D-R.I.) told Nextgov in August that OMB is looking to finalize their own related policy document on vulnerability disclosures before the CISA directive is released.

Matthew Cornelius, a former Senior Technology and Cybersecurity Advisor at OMB who has pushed for the adoption of coordinated vulnerability disclosure programs across government, told FCW through email that while CISA is not legally required to get OMB approval or sign-off before issuing a Binding Operational Directive, the two agencies often coordinate under the Federal Information Security Modernization Act to ensure harmony between policy (set by OMB) and operational actions (undertaken by CISA) around federal cybersecurity.

"FISMA was drafted to create a robust policy and implementation framework to improve Federal cybersecurity. It has also created some tension (not always unhealthy, and sometimes very helpful) between CISA's clear operational role in implementation of federal cybersecurity policies and programs and OMB's larger policy development and oversight role," Cornelius wrote.

During a House Oversight and Government Reform Committee hearing earlier this year, Government Operations Subcommittee chair Gerry Connolly (D-Va.) expressed a desire to update FISMA, in part to deconflict the multi-stakeholder interagency process involved in setting governmentwide cybersecurity policy.

"I think the last time we even authorized FISMA or went through a reauthorization, I was a freshman and…that's an eternity in technology," said Connolly, who was first elected to Congress in 2008.

Congress and some cybersecurity industry groups have indicated a desire to expand upon the handful of agencies that have set up vulnerability disclosure programs to protect public-facing government systems. If the timelines included in the draft CISA directive make it through to the final version, it essentially guarantees that agencies won't be ready to stand up their programs until 2021 or later. Agencies would also need the directive and memo in place in order to flesh out budget justifications to Congress and fund their programs.

"To the extent that there isn't any substantive policy or process concerns from OMB, I would hope that their memorandum and the CISA BOD can be published immediately, as implementation and coordination are necessary through the budget development and resource planning exercises already actively underway," Cornelius said. "Any further delay could risk pushing the timelines for implementation further to the right and delaying the ability of Federal agencies to effectively harness the expertise of the security researcher community to improve the identification and remediation of critical vulnerabilities."