The public comment period on the draft vulnerability disclosure program for federal agencies published by the Department of Homeland Security’s cybersecurity agency has been extended until Jan. 10, 2020.
The draft binding operational directive (BOD), one of few authorities Cybersecurity and Infrastructure Security Agency has to force entities to take action, would require that federal agencies establish a VDP, in which security researchers could report vulnerabilities in agencies’ public-facing websites. The original comment period was set to expire Dec. 27, but CISA extended the deadline after a “phenomenal response" from stakeholders.
So far, CISA has received comments from stakeholders both at federal agencies, industry and think tanks, concerned with everything from legal protections for researchers submitting vulnerabilities to mandated remediation time frames. Several comments have expressed concern about resources agencies ultimately dedicate to the disclosure programs.
“Effectively implementing a vulnerability disclosure policy across federal agencies and departments ... will take adequate resources, funding, and a sufficiently trained workforce,” wrote John Miller, senior vice president of policy at the Information Technology Industry Council (ITI), a trade association representing firms in the information and communications technology industry.
Stakeholders also suggested that agencies review their systems before the VDP is established.
“To prepare for implementation, agencies should also be encouraged to proactively scan their internal assets as soon as possible, mitigate high-priority vulnerabilities, and ensure their vulnerability management processes are effective,” wrote Ari Schwartz, executive coordinator of the Cybersecurity Coalition.
Adam Bernstein, an employee of the Office of Inspector General at the Department of Housing and Urban Development, wrote in a comment that legacy IT systems — which tend to have several vulnerabilities — within agencies should be left out of the disclosure program because they are underfunded, mission critical and agencies don’t have the funds to mitigate their vulnerabilities.
“These legacy and underfunded systems should never be a part of any vulnerability disclosure program because the discovery of more vulnerabilities without the ability for remediation will only further weaken the country’s IT systems,” Bernstein wrote.
In response, one person wrote back that disclosing vulnerabilities in legacy systems would help illuminate underfunding for IT systems.
Security researchers are also concerned about the potential threat of legal action against them as they probe systems for vulnerabilities. The directive reads that agencies commit to not pursuing legal action against researchers engaged in “good faith” efforts, but one person posted a comment on the CISA GitHub page suggesting that agencies’ Office of General Counsel be involved in any policy decisions.
Karim Said, a cybersecurity professional at NASA, wrote that the policy needed language that “states OGC has reviewed and concurred with any assertions made regarding pursuit of legal action” because disclosure program was likely to be executed out of the agency CIO’s office.
Stakeholders also harbored concern about the suggested remediation time frames in the VDP. CISA laid out recommendations that reported vulnerabilities be mitigated and remediated within 90 days, but interest groups wrote that CISA needed to clarify that these remediation recommendations were just recommendations, not requirements — arguing that international standards for VDPs don’t have mandated mitigation timelines.
“Missing an artificial deadline may result in unmet expectations and loss of trust with vulnerability reporters, and potentially prompt premature public disclosure of un-mitigated vulnerabilities that creates additional risks of exploitation,” Schwartz wrote.
In order for agencies to better understand the VDP requirements, one anonymous user commented that DHS should host an industry day for IT personnel, contractors, lawyers and other agency staff to better understand the legal requirements, contracting opportunities, best practices for handling increase remediation work that results, necessary workforce training and market research for agencies looking to go through a third party.
“A one-day industry day hosted by DHS may help decrease the possibility of agencies misunderstanding BOD requirements, and help them develop a strategy that would work best for their own agency," the user wrote.
Andrew Eversden covered all things defense technology for C4ISRNET. Beforehand, he reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.