The Department of Homeland Security will be seeking feedback until Jan 10 on how to formulate the draft vulnerability disclosure program designed to provide federal agencies with a structured way to report cybersecurity issues, The Fifth Domain reported Friday.
The Cybersecurity and Infrastructure Security Agency released a draft binding operational directive on Dec. 2 that would require federal agencies to disclose the vulnerabilities of their public websites.
Adam Bernstein, information technology manager at the Office of Inspector General Department of Housing and Urban Development, wrote that legacy IT platforms should be excluded from the disclosure requirement because they are underfunded. He received a response saying that disclosures could help highlight the lack of funding for legacy IT systems.
CISA also received feedback on its proposed 90-day time frame between vulnerability disclosure and repair, as well as a suggestion for the agency to hold an industry for technical, legal, industry and government personnel to discuss the program.