How CISA's Planning to Track Agencies' Vulnerability Remediation

The Cybersecurity and Infrastructure Security Agency is interested in acquiring a centralized platform for overseeing federal agencies' attempts to fix vulnerabilities security researchers bring to their attention, and plans to issue a request for proposals this summer.   

In November, CISA invited feedback on a draft binding operational directive instructing civilian agencies to publish a policy under which they would receive and resolve vulnerabilities the public security researchers identify. The idea was that do-good hackers, typically afraid of legal liability for exposing weaknesses they spot in code or discouraged by a lack of responsiveness when they do, would feel more inclined to report the vulnerabilities to administrators.

The draft received mixed reviews, with some agency officials expressing concerns about being flooded by frivolous reports and the feasibility of meeting suggested timelines for responding to researchers and addressing the vulnerabilities given the need to wade through these.

According to attachments included in a request for information that CISA, along with the General Services Administration, posted to beta.sam.gov on Tuesday, the cybersecurity agency plans to officially request proposals to address that issue this summer. 

An entity with a commercially available software as a service platform would receive all of the security researchers' reports, handle the initial triaging to ensure they’re valid, and then tag and assign them to the appropriate agency for remediation.

The entity would also catalog monthly how many vulnerabilities are being reported to each agency and how long it takes those agencies to get to them.

In a draft performance work statement, the RFI suggests some triaging would still be up to the individual agencies. 

“The agency can update the submission’s status via platform interface or [Application Program Interface]," it reads. “Once the vulnerability is triaged, the agency can update or close the submission, an action that triggers a notification to the reporter.”

The system would also give reporting agencies the ability to track the status of their submissions, create a profile and accumulate points and recognition, and communicate with administrators about whether vulnerabilities have been fixed. 

CISA wouldn’t directly engage in addressing vulnerabilities but would have oversight over the whole process.

“CISA is alerted when certain defined thresholds are met (ticket unresolved for X days, agency accumulating more than X reports without action, etc.),” reads the RFI’s description of the platform’s functionality. It would allow “CISA to adjudicate submissions where the agency is unknown (or has been unresponsive), view statistical data and trends, run reports, export data, and view agency submissions.” 

CISA also lays out metrics for assessing the performance of the service provider, such as whether 95% of incoming reports are being tagged and assigned within a business day. 

And the platform should also facilitate agencies opting to implement a bug bounty program, where the security researchers are paid for valid vulnerabilities they find. This, CISA says, may increase the security requirements necessary to obtain a final authorization to operate. But at this time, no Federal Risk and Authorization Management Program certification is required.  

The plan is for the platform to be centrally managed by CISA’s Cybersecurity Quality Services Management Office and is intended to “support [federal civilian executive branch agencies] by providing a standard approach to accept vulnerability submissions from a network of security researchers,” the agency says.

CISA says it’s currently working with civilian agencies to identify which ones will be participating at the time a contract is awarded for the platform, but the government estimates there will be 98 agencies, 23 of which are governed by the Chief Financial Officers Act, and 75 that are not. 

The deadline for responding to the RFI was also Tuesday (the posting was a followup RFI on one posted in December and will become “inactive” June 10). But CISA says “contractors who do not respond to this RFI are not excluded from any resulting solicitation(s).” The agency will also begin hosting one on one meetings, as early as today and continuing through June 2, to answer questions from interested parties.