CISA Binding Operational Directive 20-01

Enable Receipt of Unsolicited Reports: Agencies must ensure that they have a designated security contact for their .gov domains and that their email is regularly monitored.  Develop and Publish a Vulnerability Disclosure Policy: VDP must include which systems are in scope; the types of testing that are allowed; a description of how to submit vulnerability reports; a commitment to not recommend or pursue legal action; a statement that sets expections for the reporter and pledges the agency will be as transparent as possible about remediation; and an issuance date. A VDP must not require the submission of PII; limit testing soley to vetted registered parties or US citizens; Attempt to restrict the reporter’s ability to disclose discovered vulnerabilities to others; submit disclosed vulnerabilities to the Vulnerabilities Equities Process or any similar process.  Vulnerability Disclosure Handling Procedures: VDPs must "Describe how: Vulnerability reports will be tracked to resolution; Remediation activities will be coordinated internally; Disclosed vulnerabilities will be evaluated for potential impact17 and prioritized for action; Reports for systems and services that are out of scope will be handled; Communication with the reporter and other stakeholders (e.g., service providers, CISA) will occur; Any current or past impact of the reported vulnerabilities (not including impact from those who complied with the agency VDP) will be assessed and treated as an incident/breach, as applicable. Set target timelines for and track: Acknowledgement to the reporter (where known) that their report was received; Initial assessment (i.e., determining whether disclosed vulnerabilities are valid, including impact evaluation); Resolution of vulnerabilities, including notification of the outcome to the reporter." Reporting Requirements and Metrics: After the VDP is created, federal agencies must report valid/credible reports of newly discovered vulnerabilities on agency systems that could affect other parties in government or industry. CISA Actions: "CISA will monitor agency compliance to this directive and may take actions for non-compliance" and "will review agencies' initial implementation plan that reflects timelines and milestones for their VDP" to cover systems required under OMB's M-20-30.