CISA Finalized Directive on Vulnerability Disclosure Policies, Congressman Says 


The binding operational directive would create a legal path for ethical hackers to report website vulnerabilities to government agencies.

In November, the Cybersecurity and Infrastructure Security Agency issued a draft directive that would require civilian agencies to work with security researchers to find vulnerabilities on their websites. The policy is now final, according to Rep. Jim Langevin, D-R.I.

“CISA has finalized their BOD 20-01 and it is coordinating with [the Office of Management and Budget] on issuance,” Langevin said in an interview with Nextgov. “The current plan is for OMB to release their policy first, followed by CISA's directive shortly thereafter.”

Vulnerability disclosure policies are a way to meet the challenge of identifying and managing vulnerabilities on government websites, particularly given the information technology workforce shortage, the draft OMB policy notes. The identification of bugs can be essentially crowdsourced to ethical hackers who, without an explicit promise of legal protection, fear prosecution under laws like the Computer Fraud and Abuse Act.

OMB’s draft policy requires agencies to establish vulnerability disclosure policies within 180 days of a final memo being issued. Chief information officers will be bottom line responsible and should coordinate with CISA in maturing agency policies, OMB says. 

CISA’s draft binding operational directive is accompanied by a template that provides suggested legal language and timelines for responding to security researchers’ reports, and resolving them. 

The agency received public comments from the security research community—mostly praising the action—as well as industry and agency officials, some of which expressed trepidation about the ability to handle an influx of reports with limited resources, among other concerns. 

CISA and OMB both declined to comment providing more specific timing for the final policies, which Langevin enthusiastically supports.

“I want to give great credit to CISA and OMB on moving this issue along,” he said. “I'm thrilled that they issued the BOD to begin with.”

Langevin said that as it waits for OMB to finalize its policy, CISA is working with individual agencies that have already begun establishing vulnerability disclosure programs to support and guide initial steps in alignment with the planned directive. 

“CISA is working with these agencies who are early adopters to develop and provide use cases and lessons learned for other agencies post BOD 20-01 issuance,” he said, “so I know that we're going to be making progress on this, we're just waiting on OMB right now.”