Debbie Chang

Why Every Federal Agency Needs a VDP

Why Every Federal Agency Needs a VDP

"The decision to require that every agency have a vulnerability disclosure policy is a major step forward in both increasing security and extending an open hand to a community that is on the front lines of securing our nation in cyberspace." - statement of bipartisan support for vulnerability disclosure policies by James Langevin, Member of Congress, and Kevin McCarthy, Member of Congress

Hackers are good and the entire world, including the U.S. government, is seeing the value they provide. That is why the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued a draft directive, requiring that every federal civilian agency publish a vulnerability disclosure policy (VDP). This is a bold move and also a necessary one.

VDPs are the equivalent of a ‘see something, say something’ for security bugs in the digital world. They are intended to give ethical hackers, or anyone who stumbles across something amiss—clear guidelines on how to report a potentially unknown or harmful security vulnerability to an organization. VDPs have been an established best practice within the tech industry for years, deployed by companies like Google, Facebook, Microsoft and others. They are also a recommended practice outlined in the Cybersecurity Framework by the National Institute of Standards and Technology (NIST), the Federal Trade Commission (FTC), National Highway Transportation System Administration (NHTSA), Department of Justice (DOJ) and other authorities.

In 2016, the U.S. Department of Defense (DoD) became the first agency in the history of the Federal Government to invite ethical hackers to find security flaws in systems run by the Pentagon, Air Force, and Army. Based on the success of these vulnerability disclosure programs, the DoD realized that they also needed to have an open door to the security researcher community 24/7/365, leading to the establishment of a VDP that same year. That VDP is now one of the most progressive and effective programs of the modern era, surfacing over 12,000 security vulnerabilities in just 3 short years. Thanks to the ethical hacker community, those vulnerabilities have been identified and fixed, significantly reducing the risk of data breaches and crime targeted at the Pentagon’s systems. The DoD’s VDP has been so successful that it won the U.S. Department of Defense CIO Award this year and continues to serve as a role model for other federal agencies and larger corporations. 

This CISA directive is important because it ensures that every federal civilian agency adopts a VDP, one of the same exact type that the U.S. Department of Defense has been running for the last three years. There are over 400 civilian agencies within the U.S. federal government tasked with protecting mission critical systems and vast amounts of sensitive user data belonging to the population at large. Malicious hackers only need one way in to wreak havoc and compromise a system. Yet, there are hundreds of thousands of ethical hackers out there who want to do the right thing and safely report potential security weaknesses to the U.S. government. With this initiative, the U.S. government will make it possible for the world’s best security experts to help improve the security of every civilian agency in our federal government 

Our government should be applauded for continuing to set an example to the rest of the world. It wasn’t that long ago when the DoD became the first federal agency to leverage the help of the ethical hacker community. Now, we have other governments around the world following suit, including the UK’s National Cyber Security Centre, European Commission, Singapore’s Ministry of Defence and Singapore’s Government Technology Agency. No other country has mandated hacker-powered security for all of  its agencies. The U.S. government is the first and is leading the way for other nations to make their public sector digital assets secure. 

We are heading into an election year and the U.S. Census is right around the corner. The volume of personal data entrusted to federal agencies is swelling to new highs. We must applaud the government for not standing still. The integrity of the digital systems of our government is more important than ever. 

The 7th Annual Hacker-Powered Security Report

Hacker-Powered Security Report