Today, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 20-01, which requires individual federal civilian executive branch (FCEB) agencies to develop and publish a vulnerability disclosure policy (VDP) for their internet-accessible systems and services, and maintain processes to support their VDP. This BOD is part of CISA’s agency-wide priority to make 2020 the “year of vulnerability management,” with a particular focus on making vulnerability disclosure to the civilian executive branch easier for the public.
“Cybersecurity is strongest when the public is given the ability to contribute, and a key component to receiving cybersecurity help from the public is to establish a formal policy that describes how to find and report vulnerabilities legally,” said Bryan Ware, Assistant Director for Cybersecurity, CISA.
Vulnerability disclosure policies enhance the resiliency of the government’s online services by encouraging meaningful collaboration between federal agencies and the public. They make it easier for the public to know where to send a report, what types of testing are authorized for which systems, and what communication to expect.
When agencies integrate vulnerability reporting into their existing cybersecurity risk management activities, they can weigh and address a wider array of concerns. This helps safeguard the information the public has entrusted to the government and gives federal cybersecurity teams more information to protect their agencies. Additionally, ensuring consistent policies across the Executive Branch offers those who report vulnerabilities equivalent protection and a more uniform experience.
To read more details about BOD 20-01, see our blog, Improving Vulnerability Disclosure Together (officially). It also discusses how the final directive is different from others we have issued and how CISA reviewed and implemented the public comments on the draft directive issued in November.