OMB Releases Draft Guidance for Federal Agency Implementation of Vulnerability Disclosure Programs
On November 27, 2019, the Office of Management and Budget (OMB) released a draft policy requiring Federal Agencies to adopt Vulnerability Disclosure Programs (VDP) and to consider expanded use of Bug Bounty programs. OMB is seeking comments on its draft policy, entitled, “Improving Vulnerability Identification, Management, and Remediation,” through December 27, 2019.
VDPs have experienced a significant rise in popularity over the last several years, and the federal government’s adoption of mandatory VDPs will likely continue to push expectations across the private sector.
There are, however, collateral impacts to consider, including the possible strain on an already lean federal cyber workforce. The draft notes the “Federal Government’s shortage of information technology and cybersecurity personnel” but does not explain how adding this new role and workload, which will often be “short fuse,” will help rather than hurt.
And the item is also silent on how new federal VDP programs will impact the many federal IT and managed service providers who build, run, and secure federal systems. Their existing contracts are unlikely to address new obligations to triage and respond to third party reports of claimed vulnerabilities.
OMB’s draft policy provides guidance on the publication and implementation of VDPs and Bug Bounties that authorize “good faith security research.” OMB noted historical reluctance to adopt such programs, stating that, “Many government information systems are accompanied by strongly worded statements warning visitors against unauthorized use and implying legal reprisal.” OMB acknowledges that, “the cost, organizational competence, and maturity required for a strong program has led them to be introduced sparingly thus far, and be limited in duration.” OMB’s draft Guidance, in contrast, strongly encourages that, “Federal agencies will provide clear assurances that good-faith security research is welcomed and authorized.”
The Guidance directs Federal Agencies to encourage security researchers to report vulnerabilities by (1) establishing clearly identified reporting mechanisms; (2) providing timely feedback to good-faith vulnerability reporters and establish clear expectations for follow-up communications; and (3) providing clear statements about the scope of permitted good-faith security research.
OMB’s Guidance was released on the same day as a Department of Homeland Security (DHS) draft binding operational directive, BOD 20-1, which will require federal civilian executive branch agencies to publish Vulnerability Disclosure Programs (VDPs).
The Guidance further directs that DHS’s Cybersecurity and Infrastructure Security Agency (CISA) will:
• Within 60 days, CISA in consultation with the Department of Justice (DOJ) and the National Institute of Standards and Technology (NIST), will publish immediate actions agencies shall take to begin instantiating a VDP into agency’s information security programs in an effective, responsible, and tailored manner.
• Within 150 days, CISA will publish a Federal-wide strategy and implementation plan, which will stipulate how CISA will coordinate with agencies to identify and address persistent and common challenges that have emerged related to vulnerability reporting and remediation, or common threat or vulnerability findings.
• Within 240 days CISA will work with the Office of the Federal Chief Information Officer (OFCIO) and Federal agencies on the appropriate methods or mechanisms to coordinate the tracking of submitted vulnerabilities across the Federal enterprise, including where centralized CISA programs or services can help address common vulnerabilities.
As VDP programs are increasingly adopted by public and private entities alike, OMB’s Guidance may be an opportunity for stakeholders to ensure additional perspectives on risk and business decision making are part of the conversation as the U.S. government continues to develop its approach to implementing VDPs.
Comments may be submitted to the OMB Office of the Federal Chief Information Officer via email to firstname.lastname@example.org. The deadline for submitting comments is 5:00 PM EST on December 27, 2019.
* Kamila Benzina is a law clerk in the TMT practice.