CISA Pushing U.S Federal Agencies to Develop and Publish A Vulnerability Disclosure Policies

CISA Pushing U.S Federal Agencies to Develop and Publish A Vulnerability Disclosure Policies

CISA (Cybersecurity and Infrastructure Security Agency), the U.S cybersecurity agency, has recently proposed a new policy for all agencies. They have issued a draft directive for all agencies to develop and publish vulnerability disclosure of policies mandatorily.

On December 2, 2019, CISA in draft directive proposed new policies for all agencies to adopt vulnerability disclosure policies compulsorily. This would help ethical hackers to get clear guidelines for submitting bugs found in government systems.

Security experts hope that this will light a fire under the feet of federal agencies to create more transparency around the ins and outs of vulnerability disclosure. This directive can increase the trust level overall between the government and security communities.

According to the CISA issuer regarding directive, which is compulsory for federal agencies and governments to be adopted and it is in a draft phase, which will remain open for public comment until December 27, 2019.

The directive came into action because many federal agencies lack a formal mechanism to receive information from ethical hackers about significant security vulnerabilities on their systems.

On that CISA, in the draft directive, said that “There are many agencies who have no defined strategies for handling reports about such issues shared by outside parties. Only a few agencies who have stated that those who disclose vulnerabilities in good faith are authorized.”

The directive aims to feel these potholes, by asking agencies to publish policies with detail description of systems which are in scope, types of testing that are allowed and how white hackers can submit vulnerability reports.

According to CISA, these policies would cover all internet- accessible devices, systems, or services in government agencies, including the systems which were not intentionally made internet-accessible.

With this, the directive also touched on various logistics of vulnerability disclosure report, including how the report is being tracked, evaluated, and reporting requirements and metrics. CISA says, agencies also need to create a capability to handle unsolicited reports about significant vulnerabilities.

Many security experts, like Katie Moussouris, a founder of Luta Security, twitted and applauded the measure taken by CISA. Moussouris has worked with the U.S government in the past to flesh out bug bounty programs like Hack the Pentagon. She said that directive has many positive points, including encouraging agencies to accept submissions from white hackers worldwide and banning non-disclosures rules for submitters.

U.S government strategized for further security measures across various agencies, and hence, the draft directive came into the picture. In the past, government orders in May 2019, for instance, agencies to remediate critical vulnerabilities discovered on their systems in 15 days.

Chris Morales, head of security analytics at Vectra, said to Threatpost that, “Public vulnerability disclosure should be a basic practice for every company, not just government agencies.”

The security community frequently discovers vulnerabilities in business software. If any organization doesn’t apply for cyber protection, the vulnerabilities will be added in their systems and servers, and those vulnerabilities will persist until someone finds them useful, and they lead to a breach.

Being a cybersecurity service provider in San Diego County, Fusion Factor recommends businesses to stay protect and learn more and more about cyber threats, to stay safe from any data breach or cyber-attacks. For free cyber assessment contact Fusion Factor at (760) 940 4200 or visit: