DHS Cybersecurity Arm Directs Executive Agencies to Develop Vulnerability Disclosure Policies

Dec 3, 2019

By Jennifer Thompson

See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

On November 27, 2019, the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS) released for public comment a draft of Binding Operational Directive 20-01, Develop and Publish a Vulnerability Disclosure Policy (the “Directive”). Pursuant to the Directive, Executive Branch agencies are required to develop and publish a procedure pursuant to which members of the public can report discovered vulnerabilities without fear of prosecution. The Directive is also accompanied by a draft coordinated vulnerability disclosure policy.

Today there is no consistency among Federal agencies with respect to the establishment or operation of vulnerability disclosure programs (VDPs). Although agencies such as the Department of Defense and the General Services Administration already have published VDPs, many Federal agencies have no strategy at all for handling third party vulnerability reports. Only a few have formally acknowledged that good faith reporters will be exempted from prosecution under the Computer Fraud and Abuse Act of 1986, which prohibits third parties from accessing computer systems without authorization. This has created a situation where individuals with knowledge of vulnerabilities in governmental systems are not reporting the vulnerabilities, thereby leaving governmental systems at greater risk of attack.

By requiring VDPs, CISA is hoping to foster collaboration between the public and the government as well as promote a stronger governmental infrastructure. CISA noted in its press release:  “A key benefit of a vulnerability disclosure policy is to reduce risk to agency infrastructure and the public by incentivizing coordinated disclosure so there is time to fix the vulnerability before it is publicly known.”  In addition, the Directive establishes a clear baseline for policy across agencies.

Pursuant to the Directive, Executive Branch agencies must:

  1. Enable receipt of unsolicited reports. This includes identifying a security contact and monitored email address for each registered government domain and ensuring that the personnel monitoring the email address can evaluate the security reports.
  2. Develop and publish a VDP. The VDP must identify the systems at the agency that are covered by the policy; the types of testing third parties may perform; a prohibition against disclosure of any personally identifiable information discovered during testing; a description of how to submit reports; a commitment not to pursue legal action against reporters; and a description of how the agency will communicate its receipt and evaluation of the report.
  3. Make all internet-accessible systems subject to the VDP within 2 years. While not all systems are required to be included in the VDP immediately, the Directive requires that all new internet-accessible systems instituted by the agency after the creation of its VDP are subject to third party review, and that additional systems of each agency are added regularly, with the goal of having all of each agency’s internet-accessible systems subject to review within 2 years of instituting the VDP.

Furthermore, when creating a VDP, agencies should not: (i) require a reporter to personally identify themselves; (ii) limit participation to US citizens; or (iii) require reporters to keep the uncovered vulnerability confidential for longer than a prescribed and limited period of time. The last requirement is designed to ensure that the agency acts in a timely and responsible manner to investigate and resolve the vulnerability. While each VDP will vary based on the needs of the particular agency, 90 days is a good benchmark for the time period during which reporters may be required to keep the information confidential.

The public sector has long used “bug bounty” programs to provide financial incentives for individuals to report identified vulnerabilities. While the Directive stops short of requiring agencies to offer financial rewards, agencies are permitted to do so. The overarching goal of the Directive is to create and foster an environment where good faith security research on specific, internet-accessible systems is welcomed and authorized by all Executive Branch agencies.

DHS is authorized by the Federal Information Security Modernization Act of 2014 (44 U.S.C. §3553(b)(2)) to issue and oversee Binding Operational Directives. These directives are binding on departments and agencies of the Executive Branch of the Federal government, although they do not apply to certain statutorily identified national security and intelligence systems or the Department of Defense.

The VDP Directive is the first ever for which DHS has solicited public comment. The public and constituent agencies are invited to comment on the Directive via email or GitHub until 11:59 PM on December 27, 2019.


New York City Council Enters the Anti-Surveillance Fray

On Thursday, June 18, 2020 the New York City Council overwhelmingly approved the Public Oversight of Surveillance Technology Act (or “POST Act”) to institute oversight regarding the New York City Police Department’s use of surveillance technologies.

Harm or Deterrence?: FTC Civil Penalty Assessments Under COPPA

The Federal Trade Commission announced its most recent settlement action under the Children’s Online Privacy Protection Act (COPPA) on June 4. The settlement included a $4 million penalty (suspended to $150,000 due to the defendant’s proven inability to pay) against Hyperbeard, Inc. for alleged violations of COPPA.

Georgia COVID-19 Pandemic Business Safety Act

On July 29, 2020 the Georgia General Assembly sent to Governor Brian Kemp for his approval the Georgia COVID-19 Pandemic Business Safety Act.

FTC Provides Guidance on Using Artificial Intelligence and Algorithms

The Director of the Federal Trade Commission (FTC) Bureau of Consumer Protection recently issued guidance in its Tips and Advice blog as to how companies can manage consumer protection risks that may arise as a result of using artificial intelligence and algorithms.

Is Robotic Process Automation Reducing or Increasing your Software Licensing Fees?

While statistics regarding the increase in the use of Robotic Process Automation (RPA) vary, it is clear that the use of RPA is on the rise. Companies are rolling out RPA in an effort to increase productivity, cut costs and reduce errors.

A Few More Thoughts About Improving Our Force Majeure Provisions

The Coronavirus pandemic has brought the force majeure provision into the spotlight. A quick Google search brings up countless articles published in the past few weeks by lawyers worldwide about how to use force majeure provisions offensively and defensively in these uncertain times.

Government Efforts to Fight a Pandemic Challenge Data Privacy Concerns

Media outlets reported this week that representatives from Facebook, Google, Amazon, and Apple are meeting with members of the White House to brainstorm about ways in which the “Big Four,” can leverage the consumer information they possess to help in the war against COVID–19.

School or Parent? Factors Playing into the FTC’s Analysis of who should provide Parental Consent under COPPA in the Age of EdTech

The use of education technologies (EdTech) has exploded in recent years. In fact, between online learning sites, one to one device deployments in school districts and personalized curriculum services, virtually every student today has some online or digital component to their learning.

NYC’s Task Force to Tackle Algorithmic Bias Issues Final Report

In December, 2017 the New York City Council passed Local Law 49, the first law in the country designed to address algorithmic bias and discrimination occurring as a result of algorithms used by City agencies.

While you’ve been focused on CCPA Compliance Efforts, Elon has Been Developing Cyborgs

On November 27, 2019, the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS) released for public comment a draft of Binding Operational Directive 20-01, Develop and Publish a Vulnerability Disclosure Policy (the “Directive”).