By Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA
Last fall, we issued the final version of Binding Operational Directive (BOD 20-01), which was issued in support of the Office of Management and Budget M-20-32, “Improving Vulnerability Identification, Management, and Remediation”. This Directive reflects CISA’s commitment to strengthening cybersecurity and resilience for federal civilian agencies by requiring agencies to establish policies enabling the public to contribute and report vulnerability disclosures. Recognizing that policies alone are not sufficient, we also announced plans to launch a vulnerability disclosure platform service in the near future. Today, the future arrived.
The Cybersecurity and Infrastructure Security Agency (CISA) is proud to announce the VDP Platform for the federal civilian enterprise, the latest shared service offered by CISA’s Cyber Quality Services Management Office (QSMO) and provided by BugCrowd and EnDyna. The VDP Platform provides a single, centrally managed online website for agencies to list systems in scope for their vulnerability disclosure policies, enabling security researchers and members of the general public to find vulnerabilities in agency websites and submit reports for analysis. The Department of Homeland Security (DHS), the Department of Labor (DoL), and the Department of Interior (DoI) are among the agencies planning to leverage this platform at the onset.
This new platform allows agencies to gain greater insights into potential vulnerabilities, thereby improving their cybersecurity posture. This approach also enables significant government-wide cost savings, as agencies no longer need to develop their own, separate systems to enable reporting and triage of identified vulnerabilities. CISA estimates over $10 million in government-wide cost savings will be achieved by leveraging the QSMO shared services approach.
Through this crowdsourcing platform, Federal Civilian Executive Branch (FCEB) agencies will now be able to coordinate with the security research community in a streamlined fashion and those reporting incidents enjoy a single, usable website to facilitate submission of findings. The platform encourages collaboration and information sharing between the public and private sectors by allowing uniquely skilled researchers to submit vulnerability reports, which agencies will use to understand and address vulnerabilities that were previously unidentified. BugCrowd and EnDyna, the service providers, will conduct an initial assessment of the vulnerability reports submitted. This initial assessment will free up agencies’ time and resources and allow agencies to focus on those reports that have real impact.
CISA’s VDP Platform will help the FCEB improve day-to-day operations when managing vulnerabilities in their information systems. Agencies have the option to utilize the platform to serve as the primary point of entry for intaking, triaging, and routing vulnerabilities disclosed by researchers. Our goal is for the platform to act as a centralized vulnerability disclosure mechanism to enhance information sharing between the public and federal agencies. This approach will improve agencies ability to analyze, address, and communicate disclosed vulnerabilities.
CISA is excited to offer agencies and the public this new shared service that can help improve the security of the agency’s internet-accessible systems.