Skip to Content

Department of Homeland Security Issues Draft Directive in an Attempt to Enhance Federal Agencies’ Responsiveness to Cybersecurity Vulnerabilities

On Wednesday, November 27, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a draft directive that would require federal agencies to develop and publish a Vulnerability Disclosure Policy (VDP).

The draft directive is an attempt to streamline and enhance federal agencies’ ability to receive vulnerability reports from third parties and respond appropriately.

If finalized, the directive would set the groundwork for continually updating VDP requirements. The draft directive requires the directive itself to be updated at least every 2 years to account for changes in the general cybersecurity landscape and incorporate additional best practices to receive, track, and report vulnerabilities identified by reporters.

Opportunity for public commentary

The CISA will receive public comments on the draft directive through December 27, 2019. This is the first time CISA has requested comments on this kind of directive.

“We want to hear from people with personal or institutional expertise in vulnerability disclosure,” wrote Jeanette Manfra, CISA’s Assistant Director of Cybersecurity.

The draft directive offers hope for third-party cybersecurity analysts who discover vulnerabilities in the government’s data protection methods and try to report the issues for rectification.

Presently, these reporters often face a frustrating web of roadblocks in their attempts to report potential weaknesses in government systems. Most federal agencies lack a formal mechanism to receive unsolicited information from third parties about potential security vulnerabilities on their systems, and many agencies have no defined strategy for handling such reports.

Draft directive clears roadblocks for cybersecurity consultants to help

The draft directive seeks to clear these roadblocks. The hope is this, in turn, will encourage third parties to report vulnerabilities and allow agencies to respond quickly and efficiently to any such reports.

If finalized, the directive would require agencies to:

  • Immediately report to CISA valid or credible vulnerability reports and any response activities the agency believes CISA may be able to assist with or should know about
  • Within 15 days, enable receipt of unsolicited reports
  • Within 180 days, develop and publish their VDP on their website
  • Within 180 days, develop or update their internal vulnerability disclosure handling procedure
  • Within 270 days and quarterly thereafter, report specific metrics to CISA

What does the current directive require of federal agencies?

In its current form, the directive requires VDPs to identify:

  • Which systems are in the VDP’s scope
  • The types of testing allowed or specifically not authorized
  • How to submit vulnerability reports, including:
  • Where to send the reports
  • A request for information needed to find and analyze the vulnerability
  • A clear statement that reports may be submitted anonymously
  • A commitment to not recommend or pursue legal action against anyone the agency concludes was acting in good faith to follow the policy, and a clear statement that the testing activity is authorized
  • A statement that sets expectations for when the reporter can anticipate acknowledgment of their report and pledges the agency to be as transparent as possible about what steps it is taking during the remediation process
  • The VDP’s issuance date

As written, the directive VDPs may not:

  • Require the submission of personally identifiable information to submit a report
  • Limit testing solely to “vetted” registered parties or U.S. citizens
  • Attempt to restrict the reporter’s ability to disclose discovered vulnerabilities to others, with an exception for a reasonably time-limited response period
  • Submit disclosed vulnerabilities to the Vulnerabilities Equities Process

Agency reporting to CISA will change

As for the reporting requirements, agencies must submit the following information to the CISA via CyberScope within 270 days from the issuance of the final directive and quarterly thereafter:

  • Number of vulnerability disclosure reports received;
  • Number of reported vulnerabilities determined to be valid;
  • Number of currently open and valid reported vulnerabilities;
  • Number of currently and valid reported vulnerabilities older than 90 days from the receipt of the report;
  • Median time to validate a submitted report;
  • Median time to remediate/mitigate a valid report; and
  • Median time to respond initially to the report.

The draft directive allows the CISA to take actions against agencies for non-compliance with the directive. However, the directive does not specifically identify potential penalties.