Vulnerability Disclosure is Now Mandatory for Federal Agencies - Here's How to Make it Happen
Federal agencies exist to protect and support the nation and its citizens. Despite their elaborate processes to reduce cyber risk, many American agencies lack modern mechanisms to help identify potential security gaps in the technologies they use every day. That shortfall continues even as many U.S. government organizations vigorously promote the benefits of crowdsourced security, including the United States Department of Defense, Food and Drug Administration, National Highway Traffic Safety Administration, National Telecommunications and Information Administration, National Institute of Standards and Technology, and Federal Trade Commission.
To rectify this security gap, the Cybersecurity and Infrastructure Security Agency (CISA), a unit of the U.S. Department of Homeland Security charged with building a secure and resilient national infrastructure, issued Binding Operational Directive 20-01. The directive requires federal civilian agencies to—by March 1, 2021—develop and publish a vulnerability disclosure policy (VDP) for their internet-accessible systems and services. This action moves the proven and effective VDP from a strong recommendation to a binding and compulsory requirement. It also helps standardize the policies to create clear pathways for ethical hackers to submit and communicate about potential vulnerabilities.
But, if you’re charged with securing technology at a federal agency, what does this mean?
By issuing a binding directive, CISA is compelling agencies to denote a security contact by October 2, 2020, and publish a VDP within 180 days. The directive offers guidelines on how to develop and publish VDPs, and how vulnerabilities should be disclosed and mitigated. But, the directive gives agencies flexibility to craft their own unique VDP, and allows agencies to work with third parties to develop their policies.
So what do you do now? Here are five steps you should start today to comply with this directive while effectively reducing the risk to your internet-facing technologies.
1. Understand Your Current State vs. What’s Required
The CISA directive has nine requirements, ranging from simply adding a security contact email address to any .gov domain to developing vulnerability handling, disclosure, and reporting processes. It’s a lot to do in just six months, especially for those starting from scratch. And it casts a wide net, since it covers all internet-accessible systems or services, including those that were not intentionally made internet-accessible. But the directive gives agencies wide leeway to craft programs and policies that fit their existing security apparatus and needs. And, the ultimate goal is to increase the security of government data.
“When agencies integrate vulnerability reporting into their existing cybersecurity risk management activities, they can weigh and address a wider array of concerns,” according to the CISA directive. “This helps safeguard the information the public has entrusted to the government and gives federal cybersecurity teams more data to protect their agencies. Additionally, ensuring consistent policies across the executive branch offers those who report vulnerabilities equivalent protection and a more uniform experience.”
As mentioned, the timeline is aggressive. Every .gov domain must have a security contact published by October 2, 2020. Additional guidelines will be published by CISA within 60 days. A VDP must be published within 180 days. Milestone reporting must commence immediately after a VDP is published, and formal metrics must be reported via CyberScope within 270 days.
Once a VDP is in place, the directive also mandates that vulnerability reports are delivered to system owners within 48 hours of submission. Furthermore, agencies must “establish a channel for system owners to communicate with vulnerability reporters.” Obviously traditional processes based on paper, email, spreadsheets, or manual efforts will struggle to meet these speed and collaboration requirements.
If you’re starting from scratch or from a minimal program, however, you’re not alone. Even in the private sector, more than 8 out of 10 of the largest global companies still do not have known VDPs. But there are available tools and guides to help accelerate the development process. The CISA plans to eventually offer a basic VDP service. However, the details and scope of their program are not yet clear. Alternatively, HackerOne Response provides a proven VDP structure built on the Cybersecurity Framework published by the National Institute of Standards and Technology (NIST). HackerOne is also the first hacker-powered security vendor to receive FedRAMP authorization.
2. Set Out to Build an Effective VDP
A good VDP offers an easy way for researchers and ethical hackers to notify you of a potential vulnerability. That sounds simple but is challenging to implement. Worse yet, a poorly written policy or cumbersome process may open your agency to increased risk, or result in wasted resources from inefficient processes. Additionally, your security team must not only be prepared for an onslaught of incoming reports, but be equipped to quickly triage and route reports, communicate with the reporter, collaborate with internal development teams, and more. Any roadblocks along the way could result in disgruntled security researchers or compromised security.
It’s important to involve the various cross-functional stakeholders from the outset. Of course, your security, information technology, and web development teams are crucial stakeholders. Nevertheless, it’s also important to include legal, communications, operations, and other teams who may be impacted by a potential security gap or that should just be informed of the efforts to mitigate security risks.
HackerOne provides many tools, templates, and guides to help you develop an effective VDP. HackerOne Response further provides a complete platform for deploying a VDP and managing the entire VDP reporting, communication, and mitigation processes, and it can seamlessly integrate with your existing security and collaboration tools.
3. Draft an Opening Statement
Responsible disclosure is a process built on trust and faith. Ethical hackers have long been wary of notifying organizations of potential vulnerabilities due to negative reactions and threats of legal action from those practicing “security by obscurity.” Those misguided efforts are being pushed aside as more organizations promote and deploy public VDPs, but researchers still fear the potential wrath of aggressive legal teams...unless your VDP states a clear commitment to not penalize those reporting potential vulnerabilities in good faith.
This statement is generally the opening section of a well-written VDP. It’s typically referred to as the “brand promise,” but it's simply a statement that explains your agency’s commitment to security and invites researchers to submit vulnerabilities.
The brand promise for the U.S. Department of Defense reads: “The security researcher community regularly makes valuable contributions to the security of organizations and the broader Internet, and DoD recognizes that fostering a close relationship with the community will help improve our own security.”
HackerOne provides many tools, templates, and guides to assist in the development of your brand promise.
4. Identify Your Scope
The scope of a VDP includes the internet-accessible systems or services covered by the policy. The CISA directive requires that agencies publish their scope in the VDP. However, they also encourage agencies to define broad scopes, such as “all internet-accessible online services” or “any system within the example.gov domain.” They also remind agencies to not forget mobile applications, if any.
The scope essentially tells researchers what’s fair game for their efforts. A common scope component is explicitly calling out properties not in scope, which offers further clarity and direction to researchers. These out-of-scope areas may include staging sites or properties controlled by partners or third parties.
Remember, the CISA directive requires the VDP to cover all internet-accessible systems or services, including those that were not intentionally made internet-accessible. Crafting a broad scope helps ensure compliance with these requirements. HackerOne Response covers all aspects of VDP creation and articulation, including defining and publishing what’s in and out of scope.
5. Establish a Process
While the scope defines the properties covered by your VDP, the CISA directive also requires that you define the types of testing allowed. In reality, the scope defines the playing field while the allowable testing defines the rules of the game. Acceptable testing types typically include those found using manual, human-directed efforts. Disallowed types may include social engineering techniques, phishing or malware attacks, automated scanners, vulnerabilities requiring physical device access, and more.
Defining the type of testing ensures that researchers offer net new techniques for uncovering potential vulnerabilities. But once a potential vulnerability is found, the real disclosure and mitigation process begins. To facilitate a clear process, the CISA directive also requires that agencies provide a description of how reports are to be sent, detail the information to be included with the report, and allow for a statement that reporters may submit.
But this is just the first step in a long process of triage and remediation where you’ll need to assess, prioritize, mitigate, and address incoming vulnerability reports. Even more daunting is the CISA requirement to ensure vulnerability reports are made available to system owners within 48 hours of submission. So as a new report arrives, your agency must quickly identify the responsible parties, gather any critical information from the researcher, and alert the system owner.
HackerOne Response helps agencies of any size effectively manage the publishing and facilitation of a VDP. This extends from articulating a policy to meet your agency’s unique needs to building a streamlined process to comply with this new CISA directive.
This new CISA directive gives you three immediate goals: achieving compliance with the mandate, minimizing the deployment effort, and maximizing security and ROI. HackerOne is the best partner to help you meet these goals with our proven, end-to-end VDP platform.
HackerOne provides the most effective path to compliance with CISA requirements. Since 2012, HackerOne has partnered with thousands of organizations to unlock the security value of the global hacking community. We’ve helped hundreds of organizations begin their journey to hacker-powered security by championing and pioneering the implementation of VDPs across the private sector, but also in the FED and SLED spaces. Our VDP structure is built on best practices and based on the recommended practice outlined in the Cybersecurity Framework published by the National Institute of Standards and Technology (NIST), as well as those of many other agencies and organizations. HackerOne is also the first hacker-powered security vendor to receive FedRAMP authorization.
HackerOne provides the expertise to help you quickly build a VDP infrastructure. HackerOne can help you establish a VDP that allows you to achieve compliance with minimal operational disruption. But more importantly, we can guide you on your end-to-end strategy. HackerOne empowers you to craft a VDP and report on program stats and specifics to create a strategy that’s right for your business.
HackerOne delivers hacker-powered security solutions with efficiency and effectiveness. The CISA directive is an effort to improve overall security. Don’t waste the expense and opportunity to maximize the security benefits of this new program. HackerOne offers testing that conforms to your agency’s needs, helps integrate vulnerability reports with your existing processes, and facilitates access to the world’s largest community of security researchers.
With HackerOne, you can comply with the CISA directive, improve your security, and do it all with minimal operational disruption. To learn more, visit hackerone.com/product/response or send a message to VDP@hackerone.com to speak with a federal VDP expert.