The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued its final directive requiring federal civilian agencies to develop and publish a vulnerability disclosure policy (VDP) for their Internet-accessible systems and services, which will make it easier for the public to report flaws found on government websites.
“Cyber security is strongest when the public is given the ability to contribute, and a key component to receiving cyber security help from the public is to establish a formal policy that describes how to find and report vulnerabilities legally,” Bryan Ware, assistant director for Cybersecurity at CISA, said in a statement.
The eight-page directive, Binding Operational Directive 20-01, signed by CISA Director Christopher Krebs says that a VDP policy is critical for “and effective enterprise vulnerability management program” and to securing federal information systems.
The directive requires federal civilian agencies to develop and publish their respective VDPs within 180 days and says the policy must be on a public web page and describe how vulnerability reports should be submitted. It also says that reports can be submitted anonymously.
Rep. Jim Langevin (D-R.I.), a leading cyber security expert within Congress, praised the new directive.
“Assistant Director Bryan Ware and his team have done an absolutely terrific job with the vulnerability disclosure directive, which sets a new bar for cyber security leadership by the federal government,” he said in a statement, adding that he expects state and local government, private companies and non-profit organizations to model their VDPs on the directive.
Langevin also said the directive opens up a path for “well-meaning researchers trying to make the Internet safer as a means of engaging with government.”