|Federal civilian agencies will need to have up and running programs to accept and act on vulnerabilities in their public facing systems within two years.|
This week, the Trump Administration published final guidance and orders to civilian United States agencies on how they need to be accepting and using vulnerabilities researchers have turned up and submitted. Regularizing this process is supposed to both help agencies learn of and mitigate vulnerabilities and to encourage researchers to submit them. However, instead of establishing one program each agency will use, the Administration is opting to let each agency set up its own system within broad guidelines according to an enumerated timeline. Within two years, all federal “internet-accessible systems or services” at a civilian agency must be part of this vulnerability disclosure process. As with most federal cybersecurity efforts, the success of this initiative will depend on agency buy-in and follow through from the White House.
The Office of Management and Budget (OMB) issued the memorandum, M-20-32, “Improving Vulnerability Identification, Management, and Remediation,” to provide “[f]ederal agencies with guidance for obtaining and managing their vulnerability research programs.” And, pursuant to this memorandum, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issuing mandatory direction to civilian agencies in establishing their Vulnerability Disclosure Policy (VDP).
Federal agencies should continue to align their coordinated vulnerability disclosure (CVD) programs with internationally recognized standards (i.e. International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 29147 and ISO/IEC 30111) to the extent possible, consistent with Federal law and policy. CVD can expand the diversity of thinking involved in vulnerability identification and substantively improve the cybersecurity posture of Federal information systems.
Maintaining processes, procedures, and toolsets to identify, manage, and remediate vulnerabilities (i.e., managing the full vulnerability life cycle), no matter how they are discovered, is key to sustaining a risk-aware enterprise cybersecurity program. While many Federal agencies already maintain certain capabilities to discover vulnerabilities, such as penetration testing or receiving threat and vulnerability information from the Department of Homeland Security (DHS), agencies can benefit from closer partnerships with the reporters who choose to use their skills to find and report vulnerabilities on Federal information systems as a means to improving national cybersecurity.
In order to improve vulnerability identification, management, and remediation, Federal agencies shall implement VDPs that address the following areas:
- Clearly Worded VDP: Agency VDPs shall clearly articulate which systems are in scope and the set of security research activities that can be performed against them to protect those who would report vulnerabilities. Federal agencies shall provide clear assurances that good-faith security research5 is welcomed and authorized.
- Clearly Identified Reporting Mechanism: Each Federal agency shall clearly and publicly identify where and how Federal information system vulnerabilities should be reported.
- Timely Feedback: Federal agencies shall provide timely feedback to good-faith vulnerability reporters. Once a vulnerability is reported, those who report them deserve to know they are being taken seriously and that action is being taken. Agencies should establish clear expectations for regular follow-up communications with the vulnerability reporter, to include an agency-defined timeline for coordinated disclosure.
- Unencumbered Remediation: To streamline communication and collaboration, Federal agencies shall ensure vulnerability reports are available to system owners within 48 hours of submission, and shall establish a channel for system owners to communicate with vulnerability reporters, as appropriate.
- Good-Faith Security Research is Not an Incident or Breach: Good-faith security research does not itself constitute an incident or breach under the Federal Information Security Modernization Act of2014 (FISMA) or 0MB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information. However, in the process of assessing and responding to vulnerabilities reported according to agencies’ VDPs, agencies shall work with their senior agency officials for privacy (SAOPs) to evaluate affected Federal information systems for breaches that occurred outside the scope of the good-faith security research (e.g., a breach that occurred before the research was conducted) and follow the requirements outlined in M-17-12. Pursuant to M-17-12, agencies may impose stricter standards consistent with their missions, authorities, circumstances, and identified risks.
As mentioned, CISA issued Binding Operational Directive (BOD) 20-01, “which requires individual federal civilian executive branch (FCEB) agencies to develop and publish a VDP for their internet-accessible systems and services, and maintain processes to support their VDP” according to the agency’s press release. The agency added that “[t]his BOD is part of CISA’s agency-wide priority to make 2020 the “year of vulnerability management,” with a particular focus on making vulnerability disclosure to the civilian executive branch easier for the public.”
Cybersecurity is a public good that is strongest when the public is given the ability to contribute. A key component to receiving cybersecurity help from the public is to establish a formal policy that describes the activities that can be undertaken in order to find and report vulnerabilities in a legally authorized manner. Such policies enable federal agencies to remediate vulnerabilities before they can be exploited by an adversary – to immense public benefit.
- A vulnerability is a “[w]eakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” Vulnerabilities are often found in individual software components, in systems comprised of multiple components, or in the interactions between components and systems. They are typically exploited to weaken the security of a system, its data, or its users, with impact to their confidentiality, integrity, or availability. The primary purpose of fixing vulnerabilities is to protect people, maintaining or enhancing their safety, security, and privacy.
- Vulnerability disclosure is the “act of initially providing vulnerability information to a party that was not believed to be previously aware”. The individual or organization that performs this act is called the reporter.
- Agencies should recognize that “a reporter or anyone in possession of vulnerability information can disclose or publish the information at any time,” including without prior notice to the agency. Such uncoordinated disclosure could result in exploitation of the vulnerability before the agency has had a chance to address it and could have legal consequences for the reporter as well. A key benefit of a vulnerability disclosure policy is to reduce risk to agency infrastructure and the public by incentivizing coordinated disclosure so there is time to fix the vulnerability before it is publicly known.
- A VDP is similar to, but distinct from, a “bug bounty.” In bug bounty programs, organizations pay for valid and impactful findings of certain types of vulnerabilities in their systems or products. A financial reward can incentivize action and may attract people who might not otherwise look for vulnerabilities. This may also result in a higher number of reports or an increase in low-quality submissions. Organizations engaged in bug bounties will frequently use third-party platforms and service vendors to assist in managing and triaging bug reports. Bug bounties may be offered to the general public or may only be offered to select researchers or those who meet certain criteria. While bug bounties can enhance security, this directive does not require agencies to establish bug bounty programs.
Late last year, OMB and CISA released draft vulnerability disclosure documents for comment from stakeholders: A Request for Comments on Improving Vulnerability Identification, Management, and Remediation and a draft Binding Operational Directive (BOD).
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.