DHS issues draft order to require vulnerability disclosure policies at civilian agencies
The Department of Homeland Security’s cybersecurity division is trying something new. Instead of simply ordering civilian agencies to take a specific action to shore up their cybersecurity, it is asking the public to weigh in on the order first.
On Wednesday, DHS’ Cybersecurity and Infrastructure Security Agency issued a draft Binding Operational Directive (BOD) that compels civilian agencies to establish programs to work with outside security researchers to find and fix software flaws in agency websites and applications.
The appeal for public input is in the collaborative spirit of vulnerability disclosure policies (VDP), which crowdsource an organization’s security by asking ethical hackers to improve it. VDPs are common in the private sector, but much too rare in government for DHS’s taste. When CyberScoop first reported last month that CISA had prepared the directive, officials estimated that, out of scores of civilian agencies, just 10 had VDPs in place.
“[I]t’s the public that will provide those reports and will be the true beneficiaries of vulnerability remediation,” Jeanette Manfra, CISA’s assistant director for cybersecurity, wrote in a blog post explaining the unusual decision to seek feedback on a DHS cybersecurity order.
Outside experts on VDPs have a month to offer their feedback.
The draft order tasks agencies with setting up VDPs within six months of the order being released. It adds a sense of urgency to the issue by requiring agencies to add one new system or service to the scope of their VDPs every 90 days. The draft BOD also “draws a line in the sand” for agencies to embrace VDPs, as Manfra put it, in that agency systems that come online after the directive must be included in the disclosure program.
“In seeking public comment, we’re also nodding to the fact that, to our knowledge, a requirement for individual enterprises to maintain a vulnerability disclosure policy has never been done before, and certainly not on this scale,” Manfra, who is leaving CISA by the end of the year, wrote in her blog post.
The big changes in how agencies deal with software vulnerabilities will be coordinated through the Office of Management and Budget, which has issued its own guidance to agencies as they prepare to establish VDPs.
“As the federal government’s digital footprint has expanded, the risks to its networks and information have also grown,” the OMB guidance states.
Politico first reported on the draft BOD’s publication Wednesday.