DHS cyber agency issues order boosting cybersecurity vulnerability reporting

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued a final directive requiring all federal agencies to develop and publish cyber vulnerability disclosure policies. 

The directive, which is the finalized version of a draft order published by CISA in November, is intended to make it easier for the public to disclose cybersecurity vulnerabilities to federal agencies and what types of communication to expect after reporting the issue.  

“Cybersecurity is strongest when the public is given the ability to contribute, and a key component to receiving cybersecurity help from the public is to establish a formal policy that describes how to find and report vulnerabilities legally,” Bryan Ware, assistant director for Cybersecurity at CISA, said in a statement. 

In a separate blog post, Ware compared vulnerability disclosure to alerting authorities to a house fire or another emergency. 

“Imagine visiting a government web application – say, website.gov – on a balmy evening and noticing an open redirect on the site,” Ware wrote, referencing a type of cyber vulnerability. “You click around. Nothing on the site hints at how to report this. What do you do? If you’re into cybersecurity, you might send a short email to security@website.gov, pulse some contacts when it bounces, and tweet something spicy about website.gov.”

“It doesn’t have to be this way,” he added. 

CISA asked the public for input on the draft order last year, the first time the agency had taken that step. Ware wrote that CISA received over 200 recommendations, including those from the Commerce, Education, Energy, Justice, and Treasury Departments, House Minority Leader Kevin McCarthy (R-Calif.), Sen. Amy Klobuchar (D-Minn.), and Rep. James Langevin (D-R.I.). 

“Even though not all suggestions led to a direct change, every comment helped us think more deeply about vulnerability coordination in the federal enterprise,” Ware wrote. “Our sincere thanks.”

Langevin, a member of the congressionally-established Cyberspace Solarium Commission, applauded the move by CISA on Wednesday. 

“When cybersecurity researchers find a flaw in software, they need to have some mechanism for reporting it so it can be fixed,” Langevin said in a statement. “I have long advocated for vulnerability disclosure policies that provide clear guidelines for such reporting, and, today, the federal government is taking an important step in normalizing them.”