DHS is mulling an order that would force agencies to set up vulnerability disclosure policies
Department of Homeland Security officials could in the coming months issue an order that would require federal civilian agencies to establish vulnerability disclosure policies that allow independent researchers to find flaws in agency websites and software applications, multiple officials told CyberScoop.
DHS officials are mulling the release of a Binding Operational Directive (BOD), an authority that compels agencies to get their security houses in order, typically on a tight deadline. The move would be a blunt response to the lack of federal progress on vulnerability disclosure policies (VDPs). Such programs are commonplace in the private sector as they allow resource-strapped organizations to tap outside security expertise, or at least let the public flag a security issue before it’s found by malicious hackers.
Out of scores of civilian agencies, less than 10 have VDPs in place, according to officials at DHS’s Cybersecurity and Infrastructure Security Agency.
“Agencies have not implemented vulnerability disclosure in a consistent fashion,” said Matt Hartman, an associate director at CISA. “And that’s what we’re interested in accelerating.”
A draft BOD has been in the works for months, DHS officials told CyberScoop. The document outlines key principles that every civilian executive-branch agency’s disclosure program should have. Those include legal protections for researchers who report bugs, expectations for how agencies will move to fix those bugs, and the scope of agency assets that a program should cover, two DHS officials told CyberScoop.
To complement the directive, one proposal on the table is for CISA to set up a central portal that would allow other agencies to receive vulnerability reports from researchers. In some cases, CISA might have to help an agency get a disclosure program off the ground.
CISA officials would have to navigate any friction that might arise from telling agencies how to handle their cybersecurity portfolios.
“We work with agencies of varying sizes,” Hartman added. “Some are very small agencies who it may not be in their mission or skillset to establish a program like this.”
CISA officials have yet to make a final decision on whether they will issue the BOD, as they look for less drastic ways to get agencies to adopt vulnerability disclosure policies.
“Anytime we issue a directive, it takes [resources] away from other things, and we’re very aware of that,” Hartman told CyberScoop.
Other options, according to one CISA official, include enlisting the interagency CIO or CISO councils, or an Office of Management Budget program that reviews agencies’ security practices, to encourage agencies to develop VDPs.
And yet the BOD is still very much in play: two officials told CyberScoop that CISA will likely issue the directive in the coming months.
DHS officials have previously used BODs to, for example, order agencies to more quickly patch critical software vulnerabilities and to rid their networks of software made by Kaspersky, a Russian antivirus company that officials deem a security risk.
Fear of the unknown
Examples of established federal vulnerability disclosure programs are few and far between. Both the Pentagon and a unit within the General Services Administration have well-regarded programs, and DHS is in the process of setting up a program of its own. The National Institute of Standards and Technology, a federal standards body, maintains influential cybersecurity guidelines that include vulnerability disclosure.
While there are processes for handling security vulnerabilities internally, having an external channel for doing that is foreign to many agencies.
“It’s like being afraid to go to a doctor because you don’t want to find something out about your health,” one Trump administration official said.
“It’s really a matter of educating agencies on why they need a [VDP],” the official said.
Ari Schwartz, a former National Security Council official in the Obama administration, said that federal cybersecurity policy has often focused on implementing broad statutes like the Federal Information Security Modernization Act (FISMA) and, in the process, has overlooked disclosure programs.
“We know that VDPs are part of a strong security program and it makes sense for agencies to begin using them,” said Schwartz, now managing director of cybersecurity services at law firm Venable.
“As organizations start new VDPs they learn a lot up front [about their security posture],” Schwartz told CyberScoop. “Agencies also might have some fear of the unknown on what’s going to happen to them when they start opening the gates [to outside researchers].”