CISA issues vulnerability disclosure order for federal agencies

U.S. federal agencies could soon be working more broadly with security researchers to fix vulnerabilities and make their networks more secure.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) issued a directive Wednesday for federal agencies to establish vulnerability disclosure policies in the next 180 calendar days. A growing number of technology manufacturers have implemented vulnerability disclosure policies (VDP) and programs in recent years to take advantage of third-party research and reporting of security vulnerabilities in their products and networks.

CISA's Binding Operational Directive 20-01 requires the VDPs to include which internet-accessible production systems or services are in scope initially, with a requirement that all internet-accessible systems or services must be in scope by the two-year mark. The directive also requires agencies to determine which types of testing are and are not allowed (as well as a statement preventing the disclosure of any personally identifiable information discovered by a third party) and how to submit vulnerability reports.

Perhaps most importantly, the CISA directive requires VDPs to include "a commitment to not recommend or pursue legal action against anyone for security research activities that the agency concludes represents a good faith effort to follow the policy, and deem that activity authorized," as well as a statement to set expectations to reporters for when to anticipate acknowledgement of their reports from the agency and an issuance date.

The directive also notes that by the 180-day mark, agencies must "develop or update vulnerability disclosure handling procedures to support the implementation of the VDP." This includes describing how vulnerabilities will be tracked over time until resolution, setting timelines for the complete process from acknowledgement to fix and more.

As opposed to a traditional bug bounty program, researchers will not be paid by agencies for discovering and reporting vulnerabilities. However, several federal agencies and departments have launched or expanded their own bug bounty programs.

The beginning of CISA's directive touches on negative effects of not having defined programs and policies for vulnerability disclosures in place. Effects include the reporter not knowing how to report a vulnerability, the reporter having no confidence the vulnerability is being fixed and the reporter being afraid of legal action.

"To many in the information security community, the federal government has a reputation for being defensive or litigious in dealing with outside security researchers. Compounding this, many government information systems are accompanied by strongly worded legalistic statements warning visitors against unauthorized use. Without clear, warm assurances that good faith security research is welcomed and authorized, researchers may fear legal reprisal, and some may choose not to report at all," the directive reads.

A blog post from CISA assistant director Brian Ware notes that "VDPs are a good security practice and have quickly become industry-standard," and that the directive "is different from others we've issued, which have tended to be more technical -- technological -- in nature."

"At its core, BOD 20-01 is about people and how they work together. That might seem like odd fodder for a cybersecurity directive, but it's not. Cybersecurity is really more about people than it is about computers, and understanding the human element is key to defending today and securing tomorrow," Ware wrote.