DHS issues draft order to require vulnerability disclosure policies at civilian agencies

The Department of Homeland Security’s cybersecurity division is trying something new in appealing for public input before issuing an order.
CISA, DHS, Department of Homeland Security, RSA 2019, DHS patching
(Scoop News Group)

The Department of Homeland Security’s cybersecurity division is trying something new. Instead of simply ordering civilian agencies to take a specific action to shore up their cybersecurity, it is asking the public to weigh in on the order first.

On Wednesday, DHS’ Cybersecurity and Infrastructure Security Agency issued a draft Binding Operational Directive (BOD) that compels civilian agencies to establish programs to work with outside security researchers to find and fix software flaws in agency websites and applications.

The appeal for public input is in the collaborative spirit of vulnerability disclosure policies (VDP), which crowdsource an organization’s security by asking ethical hackers to improve it. VDPs are common in the private sector, but much too rare in government for DHS’s taste. When CyberScoop first reported last month that CISA had prepared the directive, officials estimated that, out of scores of civilian agencies, just 10 had VDPs in place.

“[I]t’s the public that will provide those reports and will be the true beneficiaries of vulnerability remediation,” Jeanette Manfra, CISA’s assistant director for cybersecurity, wrote in a blog post explaining the unusual decision to seek feedback on a DHS cybersecurity order.


Outside experts on VDPs have a month to offer their feedback.

The draft order tasks agencies with setting up VDPs within six months of the order being released. It adds a sense of urgency to the issue by requiring agencies to add one new system or service to the scope of their VDPs every 90 days. The draft BOD  also “draws a line in the sand” for agencies to embrace VDPs, as Manfra put it, in that agency systems that come online after the directive must be included in the disclosure program.

“In seeking public comment, we’re also nodding to the fact that, to our knowledge, a requirement for individual enterprises to maintain a vulnerability disclosure policy has never been done before, and certainly not on this scale,” Manfra, who is leaving CISA by the end of the year, wrote in her blog post.

The big changes in how agencies deal with software vulnerabilities will be coordinated through the Office of Management and Budget, which has issued its own guidance to agencies as they prepare to establish VDPs.

“As the federal government’s digital footprint has expanded, the risks to its networks and information have also grown,” the OMB guidance states.


Politico first reported on the draft BOD’s publication Wednesday.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts