CISA Launches New Vulnerability Disclosure Policy Platform darkreading.com - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from darkreading.com Daily Mail and Mail on Sunday newspapers.
The Cybersecurity and Infrastructure Security Agency (CISA) has partnered with Bugcrowd to launch the first ever federal civilian enterprise-wide crowdsourced vulnerability disclosure policy (VDP) platform.
The move will allow Federal Civilian Executive Branch (FCEB) agencies to coordinate with the civilian hacker community about vulnerabilities in their critical systems. FCEB agencies will now be able to receive security feedback from Bugcrowd’s community of ethical hackers around the world, helping them quickly identify and monitor vulnerabilities in their critical systems.
The collaboration follows the publication of the Binding Operational Directive (BOD) 20-01 in September last year. This directive mandates all FCEB agencies to develop and publish a VDP “for purposes of safeguarding federal information and information systems.”
The deal follows the announcement of Binding Operational Directive 20-01 last September, in which CISA laid out plans to create a vulnerability disclosure policy (VDP). It directed agencies to publish a VDP policy on their websites within 180 days, describing what systems it covers and how security researchers can report bugs. It also mandates timelines for acknowledging and dealing with each bug.
Government technology contractor Endyna will support the reporting platform under a one-year software as a service (SaaS) contract. The arrangement includes an optional extension of up to four years.
The VDP effort has been brewing for a while. CISA originally published the draft of BDO 20-01 in November 2019, inviting public comment on the issue. The final BDO and the forthcoming program will carry forward some of CISA s original suggestions, including the mandatory inclusion of all new computing systems in the scope of an agency s VDP.
Rep. Ted Lieu, D-Calif., arrives on Capitol Hill on February 13, 2021 in Washington, DC. Lieu introduced a bill which would require vulnerability disclosures of fedreal contractors. (Photo by Stefani Reynolds – Pool/Getty Images)
Rep. Ted Lieu, D-Calif., will announce Tuesday a bill that would require all federal contractors to have a vulnerability disclosure program.
The Improving Contractor Cybersecurity Act draws inspiration from the Department of Homeland Securityâs Binding Operational Directive 20-01, which ordered federal agencies to develop disclosure programs.
ââAs we have seen with SolarWinds and now with USAID, every vendor is a potential threat vector. With this bill, we’re acknowledging that risk and making sure the federal contracting statute can meet our needs from a risk management standpoint,â Lieu told SC Media.