OMB Instructs U.S. Agencies To Implement VDPs
The U.S. Office of Management and Budget (OMB) released a memo that instructs U.S. federal agencies to create and publish coordinated vulnerability disclosure program (VDP) policies. The move will allow the research community and others to alert the government about vulnerabilities in its systems through a clearly established program.
“Maintaining processes, procedures, and toolsets to identify, manage, and remediate vulnerabilities, no matter how they are discovered, is key to sustaining a risk-aware enterprise cybersecurity program,” according to the memo. “While many federal agencies already maintain certain capabilities to discover vulnerabilities, such as penetration testing or receiving threat and vulnerability information from the Department of Homeland Security (DHS), agencies can benefit from closer partnerships with the reporters who choose to use their skills to find and report vulnerabilities on federal information systems as a means to improving national cybersecurity.”
The memo, issued on 2 September, gives agencies 180 days to implement VDPs that are clearly worded, clearly identify reporting mechanisms, provide timely feedback, have unencumbered remediation, and clarify that good-faith security research is not considered an incident or a breach.
seeing the phrase "Good-Faith Security Research is Not an Incident or Breach" in a @WhiteHouse document is a little surreal, but boy it's exciting https://t.co/bpEliovh1X cc: @bugcrowd @disclose_io— caseyjohnellis (@caseyjohnellis) September 2, 2020
“With a clear VDP in place that addresses the above considerations, agencies make it clear for the public to know where to report vulnerabilities and set an expectation of communication with vulnerability reporters regarding timely remediation,” the memo said.
OMB also required DHS’s Cybersecurity and Infrastructure Security Agency (CISA) to release implementation guidance for incorporating VDPs into their information security programs in an “effective, standardized, responsible, and tailored manner,” along with supporting agencies facing challenges and producing a public report identifying persistent and common challenges related to VDPs.
In coordination with those requirements, CISA released a binding operational directive (BOD 20-01)—also on 2 September—that provides implementation guidance for agencies to create their VDPs.
“Cybersecurity is strongest when the public is given the ability to contribute, and a key component to receiving cybersecurity help from the public is to establish a formal policy that describes how to find and report vulnerabilities legally,” said Bryan Ware, assistant director for cybersecurity at CISA, in a press release.
H/T to @jmmanfra for getting this concept off the ground under her tenure. Well done by @bsware and team to get across the finish line. And a nice coda to Grant Schneider’s service as Fed CISO. https://t.co/4JYlGgRk9W— Chris Krebs (@CISAKrebs) September 2, 2020
CISA released the directive almost a year after issuing a draft to the public in November 2019, seeking feedback on the final directive about best practices for crafting a VDP. The agency received more than 200 recommendations from security researchers, academics, federal agencies, technology companies, civil society, and lawmakers—which Ware said ultimately helped CISA craft a better directive.
“At CISA, we believe that better security of government computer systems can only be realized when the people are given the opportunity to help,” Ware explained in a blog post on the directive. “BOD-20-01 is part of CISA’s renewed commitment to making vulnerability disclosure to the civilian executive branch as easy conceptually as dialing 911. That concept hinges on an understanding that 911 is distributed, and the center your call is routed to is dependent on physical geography.”
In that vein, the directive requires agencies to add security contact information in the .gov registrar, post their VDP publicly, and add security.txt to their primary .gov website. CISA also plans—to help centralize its efforts—to provide a vulnerability disclosure platform service in spring 2021.
“This directive is different from others we’ve issued, which have tended to be more technical—technological—in nature,” Ware explained. “At its core, BOD 20-01 is about people and how they work together. That might seem like odd fodder for a cybersecurity directive, but it’s not. Cybersecurity is really more about people than it is about computers, and understanding the human element is key to defending today and securing tomorrow.”
U.S. Representative Jim Langevin (D-RI), a member of the House Committee on Homeland Security, the Cyberspace Solarium Commission, and co-founder and co-chair of the Congressional Cybersecurity Caucus, has long advocated for the U.S. government to adopt VDPs. He commended CISA’s work in issuing the binding directive earlier this week, saying it was an “important step” in normalizing clear guidelines for reporting vulnerabilities.
“Cybersecurity is a public good that is strongest when the public is given the ability to contribute.” Powerful words that are fully backed up by @CISAgov’s latest Binding Operational Directive on #VDP. Great work by @CISAKrebs, @bsware and the team! https://t.co/TEDHJV59iL pic.twitter.com/Og505V2CjX— Jim Langevin (@JimLangevin) September 2, 2020
“Assistant Director Bryan Ware and his team have done an absolutely terrific job with the vulnerability disclosure directive, which sets a new bar for cybersecurity leadership by the federal government,” Langevin said in a statement. “I fully expect state and local governments, private companies, and non-profits to use the directive and the corresponding OMB memorandum as models of how to effectively extend the hand of friendship to security researchers and protect their systems.”