Legislation that would require the Department of Homeland Security (DHS) to submit a yearly report to Congress on the disclosure of cyber vulnerabilities was reintroduced by Rep. Sheila Jackson Lee, D-Texas, on Jan. 11.
The bill – the Cyber Vulnerability Disclosure Reporting Act – would attempt to shed more light on the Federal government’s processes for sharing its knowledge about bugs and exploitable flaws in commercial software and systems. The issue has a long tail in Federal policy stretching back to debates about how and whether intelligence agencies should disclose vulnerabilities that they discover.
In a related development, the Cybersecurity and Infrastructure Security Agency (CISA) in 2020 issued a directive for Federal agencies to develop and publish vulnerability disclosure policies.
In 2021, CISA published a related directive to establish a catalog of known exploited vulnerabilities, and a requirement for Federal agencies to take action to remediate against them.
“This directive will significantly improve the federal government’s vulnerability management practices and degrade our adversaries’ abilities to exploit known vulnerabilities,” said CISA Director Jen Easterly at the time. “And while the BOD only covers Federal civilian agencies, we strongly recommend that every network defender review the known vulnerabilities posted publicly at CISA.gov and prioritize urgent remediation.”
Rep. Jackson Lee’s bill would require the DHS Secretary to “submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report that contains a description of the. Policies and procedures developed for coordinating cyber vulnerability disclosures,” according to the legislation’s text.
DHS would have 240 days to create its first report if the legislation becomes law.
The House bill does not appear to have a Senate companion measure.