CISA Finalized Directive on Vulnerability Disclosure Policies, Congressman Says 

CISA Finalized Directive on Vulnerability Disclosure Policies, Congressman Says 

In November, the Cybersecurity and Infrastructure Security Agency issued a draft directive that would require civilian agencies to work with security researchers to find vulnerabilities on their websites. The policy is now final, according to Rep. Jim Langevin, D-R.I.


“CISA has finalized their BOD 20-01 and it is coordinating with [the Office of Management and Budget] on issuance,” Langevin said in an interview with Nextgov. “The current plan is for OMB to release their policy first, followed by CISA's directive shortly thereafter.”


Vulnerability disclosure policies are a way to meet the challenge of identifying and managing vulnerabilities on government websites, particularly given the information technology workforce shortage, the draft OMB policy notes. The identification of bugs can be essentially crowdsourced to ethical hackers who, without an explicit promise of legal protection, fear prosecution under laws like the Computer Fraud and Abuse Act.


OMB’s draft policy requires agencies to establish vulnerability disclosure policies within 180 days of a final memo being issued. Chief information officers will be bottom line responsible and should coordinate with CISA in maturing agency policies, OMB says. 


CISA’s draft binding operational directive is accompanied by a template that provides suggested legal language and timelines for responding to security researchers’ reports, and resolving them. 


The agency received public comments from the security research community—mostly praising the action—as well as industry and agency officials, some of which expressed trepidation about the ability to handle an influx of reports with limited resources, among other concerns. 


CISA and OMB bo ..

Support the originator by clicking the read the rest link below.