The Office of Management and Budget (OMB) released draft guidance for Federal agencies on vulnerability disclosure that would require clear vulnerability disclosure policies and create a Federal-wide strategy for implementation.
The draft policy, released by the Federal CIO’s office on November 27, aims to support the creation and implementation of more vulnerability disclosure programs at Federal agencies, and comes in concert with a draft Binding Operational Directive (BOD) released by the Cybersecurity and Infrastructure Security Agency (CISA) on the same day.
Under the draft policy, agencies would need to:
- Publish a vulnerability disclosure policy within 180 days;
- Develop or update internal vulnerability handling procedures to meet CISA guidelines within 180 days; and
- Track the policy’s effectiveness through FISMA reporting
The policy also includes several items for specific agencies to implement, if finalized:
- CISA, the Department of Justice, and the National Institute of Standards and Technology (NIST) will publish immediate implementation actions for agencies within 60 days;
- CISA will develop a Federal-wide strategy and implementation plan to address common challenges of vulnerability disclosure within 150 days; and
- CISA and the Office of the Federal CIO will coordinate tracking of submitted vulnerabilities across the Federal government within 240 days.
“The Federal government remains committed to finding new and innovative ways to leverage top talent to help agencies meet critical cybersecurity needs, and CVD [coordinated vulnerability disclosure] will continue to offer a unique lever in securing the Federal enterprise,” the draft policy states.
The policy also encourages Federal agencies to consider bug bounty programs, suggesting that they mimic existing bug bounty programs and setting the stage for future guidance on paid vulnerability disclosure in the future.
OMB is accepting comment on the policy until December 27, 2019.