View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 3, 2020updated 04 Sep 2020 9:19am

CISA to .GOV Agencies: Get Vulnerability Disclosure Plans Sorted in 30 Days

"We see your work, we want to help, and we appreciate you"

By CBR Staff Writer

Federal Agencies have been ordered to stop threatening and start thanking security researchers for reporting vulnerabilities in their internet-facing infrastructure.

The demand comes via a new “binding operational directive” (BOD) from the US’s Cybersecurity and Infrastructure Security Agency (CISA) published September 2.

This requires each agency to develop and publish a Vulnerability Disclosure Policy (VDP) and “maintain supporting handling procedures”. within 30 days.

In practice, that means setting up/updating a security@ contact for each .gov domain, regularly monitoring the email address associated with it, and staffing it with personnel “capable of triaging unsolicited security reports for the entire domain.”

Security professionals are about to get even more in demand…

Want to Poke Holes in .gov Domains? Maybe Wait Another 180 Days… 

Agencies have longer (180 days) to clearly spell out what is in scope; at least “one internet-accessible production system or service must be”, CISA says.

Content from our partners
Incumbent banks must transform at speed, or miss the benefits of open banking
Leverage cloud and expertise to optimise engagements from onboarding to conclusion
How enterprises can best prepare for finance digitalisation

The policy must also include “commitment to not recommend or pursue legal action against anyone for security research activities that the agency concludes represents a good faith effort to follow the policy, and deem that activity authorized.”

As CISA Assistant Director Bryan Ware notes: “Imagine walking your neighborhood in the cool dawn and noticing a home at the end of the block engulfed in flames. You look around. No one else appears to have noticed yet. What do you do? You’ll likely call 911, share the address of the burning home, and stick around to help if needed.

See also: 7 Things Not to Do When Hacked: Five Eyes Issues Rare Technical Guidance

“Now, imagine visiting a government web application – say, website.gov – on a balmy evening and noticing an open redirect on the site. You click around. Nothing on the site hints at how to report this. What do you do? If you’re into cybersecurity, you might send a short email to security@website.gov, pulse some contacts when it bounces, and tweet something spicy about website.gov. It doesn’t have to be this way…”

The move comes after CISA in November — as reported by Computer Business Review — asked for feedback on a draft operational directive, BOD 20-01, which would require most executive branch agencies to create a VDP that spells out to those who find flaws in an agency’s digital infrastructure “where to send a report, what types of testing are authorized for which systems, and what communication to expect in response.”

As CISA’s Bryan Ware noted, however, the federal vulnerability disclosure requirement is not a chance for over-eager vendors to start pitching their wares.

“A final note to those people who find and report vulnerabilities: we see your work, we want to help, and we appreciate you. To others that would use these new ways to reach agencies, please: this is not a business development opportunity, and pitches to security@agency.gov aren’t going to be appreciated.

“Don’t @cisagov on your spicy tweets.”

Full details of the binding operational directive are here

See also: An Idiot’s Guide to Dealing with Hackers

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU