The Office of Management and Budget (OMB) has finalized vulnerability disclosure policies (VDPs) for the Federal government and issued a memorandum to agencies today establishing the processes for identification, management, and remediation of security vulnerabilities.
“VDPs empower agencies to crowdsource vulnerability discovery and thereby realize extraordinary return on investment,” Acting Deputy Director for Management Michael Rigas said. “This is part of an ongoing effort to improve our cyber defenses and to improve government transparency, while adopting industry-tested and cost-effective measure to improve Federal information security programs.”
OMB worked with the Cybersecurity and Infrastructure Security Agency (CISA) on the new memo and the agencies are directing other departments to establish VDPs and receive vulnerability findings from the general public. In the memo, OMB applauds agencies incorporating coordinated vulnerability disclosure practices like VDPs into cybersecurity risk management programs as they “expand the diversity of thinking involved in vulnerability identification and substantively improve the cybersecurity posture of Federal information systems.”
Specifically, agencies are currently implementing VDPs and bug bounties as forms of coordinated vulnerability disclosure practices, which OMB calls “among the most effective methods” for retaining insights in security vulnerabilities. The memo also describes vulnerability identification, management, and remediation programs, CISA’s actions and efforts on VDPs, and governmentwide actions and responsibilities to develop VDPs.
“Significant progress has been made toward securing the Federal government’s networks and information assets,” the memo concludes, “and CVD [coordinated vulnerability disclosure] will continue to build on that progress as the digital economy and the Federal government’s digital footprint continue to expand.”
In the next 60 days, CISA will be required to release actions that agencies should take to incorporate VDPs into information security programs. CISA will then work with Federal agencies to coordinate the tracking of submitted vulnerabilities across the Federal enterprise and publish a report on emergent VDP challenges. All Federal agencies will be required to publish and operationalize a VDP in the next 180 days and provide follow-up milestones later.
In support of OMB’s VDP efforts, CISA also issued Binding Operational Directive 20-01 today requiring Federal civilian executive branch agencies to develop and publish a VDP for their internet-accessible systems. Agencies will also be required to enable receipt of unsolicited reports, execute vulnerability disclosure handling procedures, and implement reporting requirements and metrics.
“Cybersecurity is strongest when the public is given the ability to contribute, and a key component to receiving cybersecurity help from the public is to establish a formal policy that describes how to find and report vulnerabilities legally,” Assistant Director for Cybersecurity at CISA Bryan Ware said.