A new Cybersecurity and Infrastructure Security Agency (CISA) mandate requires U.S. agencies to implement vulnerability-disclosure policies by March 2021.
The U.S. government’s cybersecurity agency CISA has issued a mandate that requires federal agencies to implement vulnerability-disclosure policies (VDPs) by March 2021.
The main purpose of vulnerability-disclosure policies is to ensure that required information, other than confidential business information, is disclosed to the public and shared with relevant parties in a timely, accurate, complete, understandable, convenient and affordable manner.
The move aims at providing government agencies a formal mechanism to receive from security researchers and white-hat hackers reports of vulnerabilities on their infrastructure.
Vulnerability-disclosure policies allow enhancing the resiliency of the government’s infrastructure by encouraging meaningful collaboration between federal agencies and the public.
“When agencies integrate vulnerability reporting into their existing cybersecurity risk management activities, they can weigh and address a wider array of concerns,” reads the CISA directive. “This helps safeguard the information the public has entrusted to the government and gives federal cybersecurity teams more data to protect their agencies. Additionally, ensuring consistent policies across the executive branch offers those who report vulnerabilities equivalent protection and a more uniform experience.”
The Vulnerability-disclosure policies would specify which systems are covered as part of the process, including those systems that were not intentionally exposed online.
The directive mandates that organizations implement VDPs with clear wording around which systems are in-scope, as well as assurances around good-faith security research.
A draft of the directive was first issued in December 2019 open to public comment, since then the agency received more than 200 recommendations from more than 40 security experts, academics, federal agencies, civil society, and members of Congress.
In the next 60 days CISA will publish further guidance regarding the implementation of the VDP into their information-security programs and within 180 days all agencies must publish their vulnerability disclosure policy.
Within 240 days, the agencies must report milestones for VDP to cover all government information systems and CISA must begin coordinating the processes implemented t the disclosure of the vulnerabilities.
“To centralize part of this effort, CISA will offer a vulnerability disclosure platform service next spring. We expect this will ease operations at agencies, diminish their reporting burden under this directive, and enhance discoverability for vulnerability reporters.” concludes the directive.
(SecurityAffairs – hacking, vulnerability-disclosure policies)