CISA, White House release vulnerability disclosure policies

The Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency have released a memorandum and Binding Operational Directive guiding federal agencies on how to set up their vulnerability research and disclosure programs.

Yesterday FCW reported that officials at CISA were waiting for OMB to release their own guidance around vulnerability disclosure and get the agency's blessing before finalizing a Binding Operational Directive on the same issue. Today the agencies published both documents.

The CISA directive gives agencies 30 days to establish a security contact for each registered .gov domain. Within six months, they must publish their own vulnerability disclosure policy outlining the scope of covered systems, how outside security researchers can submit reports, expectations for how and when the agency will respond and a clear commitment that they will not recommend or pursue legal action against anyone making a good faith effort to follow the rules. They cannot require personally identifiable information from researchers, must allow for anonymous submissions and must not restrict the ability of researchers to disclose vulnerabilities to others outside of requesting a "reasonably time-limited response period."

After nine months, agencies must start adding at least one internet-accessible system or service to the list of eligible programs and within two years, all such systems must be covered under the program. CISA will also set up a new vulnerability disclosure platform service next spring, Assistant Director Bryan Ware explained on the agency's blog.

"This directive is different from others we've issued, which have tended to be more technical – technological – in nature," Ware wrote. "At its core, [this directive] is about people and how they work together. That might seem like odd fodder for a cybersecurity directive, but it's not. Cybersecurity is really more about people than it is about computers, and understanding the human element is key to defending today and securing tomorrow."

The OMB memorandum specifies that agency programs should be closely aligned with both current federal laws as well as international standards, such as those set out by the International Organization for Standardization or the International Electrotechnical Commission.

While bug bounties – programs that offer financial incentives to security researchers for finding software vulnerabilities – can be useful, OMB warns that individual agencies must "carefully weigh the cost, organizational competence and maturity required for a strong and sustainable program."

Vulnerability disclosure programs "empower agencies to crowdsource vulnerability discovery and thereby realize extraordinary return on investment," Acting Deputy Director for Management Michael Rigas said in a statement." This is part of an ongoing effort to improve our cyber defenses and to improve government transparency, while adopting industry-tested and cost-effective measure to improve federal information security programs."

The OMB press release also said they are already working with the Cybersecurity and Infrastructure Security Agency and others to establish their programs and "expand their scope in a responsible manner."

"Cybersecurity researchers perform an enormous public service by volunteering their time to find and report problems that threaten Americans' security and privacy," Sen. Ron Wyden (D-Ore.) said in a statement. "The government should be rolling out the red carpet to them. CISA deserves praise for this effort to repair the damage done over the years by government agencies harassing and prosecuting cybersecurity researchers."