America’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD) requiring the development and publication of vulnerability disclosure policies (VDPs).
A BOD is a compulsory direction to federal executive branch departments and agencies for purposes of safeguarding federal information and information systems.
BOD 20-01, officially finalized yesterday, requires most executive branch agencies to create a VDP and publish it as a public web page. Agencies have 180 calendar days after the issuance of the directive to comply.
Under the terms of the directive, the VDP must include which systems are in scope, the type of vulnerability testing allowed, and a description of how to submit vulnerability reports.
Agencies must also state in their VDP “a commitment to not recommend or pursue legal action against anyone for security research activities that the agency concludes represent a good faith effort to follow the policy, and deem that activity authorized.”
The new directive is the first BOD in CISA’s history to have been informed by a public comment round.
CISA asked for feedback from the public last November on an initial draft of BOD 20-01. Despite the feedback period’s correlating with America’s busiest holiday period, the agency received a substantial amount of feedback.
“We’d never done a public comment round on a directive before, but since the subject matter was ‘coordination with the public,’ this one merited it,” said CISA assistant director Bryan Ware.
“And even though the comment round spanned every holiday from late November to early January, the quantity and quality of feedback was nothing less than stellar.”
CISA received over 200 recommendations from more than 40 unique sources that included individual security researchers, academics, federal agencies, technology companies, civil society, and several members of Congress.
“Each one made the directive draft, its implementation guidance, and our VDP template better,” said Ware.
“Several submissions asked whether the mobile apps that agencies offer to the public would be in scope of agency VDPs. That was something we hadn’t considered before—and concur with.”
HackerOne CTO and co-founder Alex Rice described the finalized directive as “a pivotal milestone in the mission to restore trust in digital democracy and protect the integrity of federal information systems.”