The Cybersecurity and Infrastructure Security Agency (CISA) released a draft version of Binding Operational Directive (BOD) 20-01 on November 27, which would require Federal agencies to establish a vulnerability disclosure policy for internet-connected systems.
The draft policy would require agencies to establish a contact point for unsolicited disclosure reports, establish handling procedures for vulnerability disclosures, and publish a policy that clarifies what types of testing are allowed on which systems. The ultimate scope of the program would be all Federal internet-connected systems that are not deemed national security systems, with agencies required to add at least one system to the program in the first 270 days, and at least one new system to the program every 90 days thereafter.
“By putting a vulnerability disclosure policy in place, agencies make it easier for the public to know where to send a report, what types of testing are authorized for which systems, and what communication to expect,” the draft policy states.
The BOD would not establish a Federal-wide or national level vulnerability disclosure program. The policy also would not require agencies to compensate those who report vulnerabilities (aka a bug bounty program), although it comes in concert with an Office of Management and Budget policy aimed at supporting bug bounty programs.
“We think a single, universal vulnerability disclosure policy for the executive branch is a good goal. It makes sense particularly when each agency has all internet-accessible systems in scope, but we expect that goal to be an unrealistic starting place for most agencies,” said Jeanette Manfra, assistant director for cybersecurity at CISA in a blog post.
The release of the draft policy also comes with a draft disclosure form, and recommends that agencies model their policies off of existing programs at Federal agencies or standards organizations.
The policy is open for public comment, and the comment period will close on December 27.