The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has released a draft version of a directive that would require federal agencies to establish vulnerability disclosure policies.

The draft Binding Operational Directive 20-01 has been designed to address an environment that delays or discourages the public from reporting potential information security problems to the government, preventing the issues being discovered and fixed.

“Most federal agencies lack a formal mechanism to receive information from third parties about potential security vulnerabilities on their systems,” the draft directive notes. “Many agencies have no defined strategy for handling reports about such issues shared by outside parties. Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith are authorized.”

The directive, if enforced, would require agencies to publish polices with descriptions of which systems they are responsible for, the types of testing allowed and how security researchers and others can submit vulnerability reports. Notably, the draft directive would also force agencies to commit to not pursuing legal action against anyone acting in good faith who report bugs and vulnerabilities.

The draft, which is now open to discussion and feedback, has been well received by security experts.

“This is a good thing,” Chris Morales, head of security analytics at AI cybersecurity firm Vectra AI Inc., told SiliconANGLE. “It is a requirement for a policy to handle any potential disclosure from a third party source. Many organizations lack that basic process. The policy here is to implement the handling of third-party disclosure internally for remediation. There is no challenge to having this type of policy other than it doesn’t exist and many haven’t thought about it.”

Morales added that the policy is a “great start,” but how those disclosures are handled internally will be important. “The people dedicated to managing and fixing vulnerabilities have to be aware of their duties and these disclosures must be treated as a priority,” he said. “Otherwise, it is like having a published fire drill but no one is aware it exists when a fire happens.”

Thomas Hatch, chief technology officer and co-Founder at IT automation software provider SaltStack Inc., called the CISA vulnerability disclosure draft rule a “fantastic step forward” in enforcing disclosure.

“It has been proven time and time again that proper disclosure of vulnerabilities is one of the best deterrents to security breaches,” Hatch explained. “Having a vulnerability disclosure policy has long been a standard expected of software companies and extending this from a government perspective will greatly assist and enhance corporations’ awareness around proper disclosure.”

Fausto Oliveira, principal security architect at Cognitive Continuous Authentication provider Acceptto Corp., said that in the past, the Federal Trade Commission and the Department of Justice have encouraged organizations to adopt a Vulnerability Disclosure Policy.

“However, it was merely a recommendation without making a mandatory activity,” Oliveira said. “Without making it a mandatory activity, there will continue to be doubts as to what impact it would have. With this new directive, we are seeing a push to have it made compulsory which will force federal agencies to start researching how a Vulnerability Disclosure Policy would work and how their assets can be categorized inside the context of this policy.”

Image: DHS/CISA