CISA orders agencies to set up vulnerability disclosure programs
Out of scores of federal civilian agencies, only a handful of them have official programs to work with outside security researchers to find and fix software bugs — a process that is commonplace in the private sector.
Now, to put an end to the feet-dragging, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is giving agencies six months to set up the programs, known as vulnerability disclosure policies (VDPs).
CISA on Wednesday issued a directive requiring agencies to establish VDPs that foreswear legal action against researchers who act in good faith, allow participants to submit vulnerability reports anonymously and cover at least one internet-accessible system or service. It’s the latest sign that federal officials are warming to white-hat hackers from various walks of life.
“We believe that better security of government computer systems can only be realized when the people are given the opportunity to help,” CISA Assistant Director Bryan S. Ware said in announcing the directive.
The White House echoed that language in a memo to agencies backing the VDP initiative and setting deadlines for agencies to act.
“By clearly providing reporting mechanisms, timely feedback, and remediation, agencies can benefit from good-faith security research to enhance the security of federal information systems,” the Office of Management and Budget memo says.
Federal progress on VDPs has been slow. Very few federal civilian agencies have adopted programs in the 10 months since CyberScoop reported that CISA was considering issuing the directive.
Agencies will have to gradually add systems to their VDPs until, after two years, all of an agency’s internet-accessible assets are covered by the program. CISA will be helping agencies with limited resources and experience set up VDPs, Ware said.
Lawmakers welcomed the directive.
“CISA deserves praise for this effort to repair the damage done over the years by government agencies harassing and prosecuting cybersecurity researchers,” said Sen. Ron Wyden, D-Ore. “Americans are better off if the first person to find a security problem in [a] government system is a researcher working in the public interest, who will report the flaw so it can be fixed, and not a hacker working for Russia or China.”
Rep. Jim Langevin, D-R.I., co-founder of the Congressional Cybersecurity Caucus, suggested that states and local governments, and even private firms, could use the CISA directive as a blueprint for working with researchers.
The effort to adopt VDPs at the federal level coincides with a gradual embrace of them in the election infrastructure sector. In August, Ohio became the first state to issue a VDP for election-related websites. That same week, the largest voting equipment vendor in the U.S. announced its own VDP.