CISA Offers Vulnerability Disclosure Platform for Civilian Agencies

The Cybersecurity and Infrastructure Security Agency has added a vulnerability disclosure platform to the marketplace run by its Cybersecurity Quality Services Management Office as a way to reduce the burden on federal agencies working to comply with a binding operational directive it finalized last fall.

“Recognizing that policies alone are not sufficient, we also announced plans to launch a vulnerability disclosure platform service in the near future,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein wrote in a blog post on Friday’s announcement of the platform. “Today, the future arrived.”

CISA issued a request for information on platforms that could help with the management of vulnerability reports security researchers submit to agencies in May 2020 and decided to provide the service through BugCrowd and EnDyna. Eleven agencies already have programs listed on the platform, including the Federal Communications Commission, and the Labor and Agriculture departments. The Defense Department uses a comparable platform through HackerOne. 

Under the directive, federal civilian executive branch agencies should have all published vulnerability disclosure policies by this spring. These are meant to let security researchers know what programs they can probe without incurring legal action if they’re caught, and when they might expect the government to address vulnerabilities they find.   

CISA estimates the platform will save the government $10 million by eliminating the need for agencies to set up their own. It will also allow agencies to be more responsive to hackers who want to give the government a chance to improve its defenses before releasing bugs publicly and forcing the issue by setting off a race against adversaries who may then exploit them, CISA said.  

The service providers will conduct an initial assessment of the vulnerability reports submitted which “will free up agencies’ time and resources and allow agencies to focus on those reports that have real impact,” Goldstein said. “CISA’s VDP Platform will help the [federal civilian executive branch] improve day-to-day operations when managing vulnerabilities in their information systems. Agencies have the option to utilize the platform to serve as the primary point of entry for intaking, triaging, and routing vulnerabilities disclosed by researchers.”

The binding operational directive does not obligate agencies to resolve vulnerabilities by a specific deadline, but it does require them to communicate timing expectations to security researchers and to track their remediation activity for reporting through CyberScope in accordance with Federal Information Security Management Act timelines. 

According to CISA’s description of the platform, it will also give the cybersecurity agency real-time oversight of agencies’ activity by sending alerts when certain thresholds— “ticket unresolved for X days” or “agency accumulating more than X reports without action,” for example—are met.

“Our goal is for the platform to act as a centralized vulnerability disclosure mechanism to enhance information sharing between the public and federal agencies,” Goldstein said. “This approach will improve agencies ability to analyze, address, and communicate disclosed vulnerabilities. CISA is excited to offer agencies and the public this new shared service that can help improve the security of the agency’s internet-accessible systems.”