US Agencies Must Create Vulnerability Disclosure PoliciesCISA Orders Departments to Create Disclosure Programs by March 2021
The U.S. Cybersecurity and Infrastructure Security Agency is ordering most executive branch agencies and departments to create vulnerability disclosure programs by March 2021.
Under the order, BOD 20-01, CISA is requiring agencies to create disclosure policies that will give guidance to security researchers and white hat or ethical hackers for how to submit reports about vulnerabilities and bugs in federal IT systems and software.
"BOD 20-01 is part of CISA's renewed commitment to making vulnerability disclosure to the civilian executive branch as easy conceptually as dialing 911," Bryan Ware, assistant director with CISA, notes in a report about the order. "That concept hinges on an understanding that 911 is distributed, and the center your call is routed to is dependent on physical geography."
While some of the larger government agencies, such as the Defense Department, already have disclosure programs and work with outside bug hunters to find vulnerabilities, many other federal agencies lack these policies, according to CISA.
By issuing an order, CISA, a unit of the Department of Homeland Security that’s responsible for securing America's critical infrastructure, is looking to create uniform standards for all federal agencies while providing guidelines on how types of vulnerabilities should be disclosed and mitigated.
"Make clear that the agency’s primary goal is receiving any information that can help it secure its systems and it welcomes all good faith attempts to comply with its policy," CISA advises agencies in its order. "In other words, it should relay an impression that your agency is more concerned with receiving and fixing vulnerabilities than in enforcing strict compliance with the letter of the policy."
CISA first circulated a draft of its vulnerability disclosure order in November 2019, and it received feedback from over 40 security researchers, academics, federal agencies, technology companies and members of Congress.
The CISA report notes that under current policies, even when ethical hackers want to submit information about a flaw affecting a federal IT system or software, many agencies lack clear communications channels, such as a designated email address, for submitting this information.
"When individuals cannot find an authorized disclosure channel (often a web page or an email address of the form firstname.lastname@example.org), they may resort to their own social network or seek out security staff’s professional or personal contact information on the internet," according to the CISA order. "Or, if the task seems too onerous, they may decide that reporting is not worth their time or effort."
Even if an ethical hacker or researcher finds a way to submit information about a vulnerability to a federal agency, departments frequently lack standard policies to notify ethical hackers if a particular flaw has been fixed, according to CISA.
Under the new order, agencies must develop a vulnerability disclosure program within 180 days that offers clear guidelines to ethical hackers about how to disclose vulnerabilities and which communication channels they should use to submit their research.
CISA notes that eventually, all internet-accessible systems and services, including development or test environments, must be included within agencies' vulnerability disclosure policies.
The policies also must include language that all "good faith security research is welcomed" and that those submitting legitimate information about flaws and bugs will not face any reprisals, according to the order.
The order also notes that the vulnerability disclosure policies are not the same as bug bounty programs, which offer financial incentives to disclose bugs and flaws. CISA notes: "While bug bounties can enhance security, this directive does not require agencies to establish bug bounty programs."
Making Disclosures Programs Work
Some federal agencies, such as the Defense Department, already have well-established vulnerability disclosure programs that allow outside hackers to submit information about bugs and flaws.
The Pentagon has also partnered over the years with HackerOne, a private firm with a platform that allows researchers to submit information about vulnerabilities and then receive cash rewards for their disclosures.
Within the last week, HackerOne published several disclosures submitted by white hat hackers about vulnerabilities affecting systems within the Defense Department, including a remote code execution vulnerability on a Pentagon server that is considered critical and a subdomain takeover flaw found within an unpatched Amazon AWS3 bucket used by the department.
In an interview with Information Security Media Group in August, Katie Moussouris, the founder and CEO of Luta Security, which helps organizations create vulnerability coordination programs, notes that these programs should not be viewed as quick fixes but rather as a way to build better defenses (see: So You Want to Build a Vulnerability Disclosure Program?).