The Cybersecurity and Infrastructure Security Agency (CISA) is directing federal agencies and contractors to report cybersecurity vulnerabilities in systems and technologies to prevent potential exploitation by adversaries.
CISA said Wednesday that agencies must implement a Vulnerability Disclosure Policy (VDP) to ensure the resiliency of the U.S. government’s online services and simplify the public’s reporting of cyber vulnerabilities.
The VDP is based on a “bug bounty” concept of incentivizing public action and covers the federal government's internet-accessible information systems. The effort is also meant to support the Office of Management and Budget’s (OMB) “Improving Vulnerability Identification, Management, and Remediation” directive, according to CISA.
In a blog post published Wednesday, CISA Assistant Director Bryan Ware said the agency’s Binding Operational Directive (BOD) 20-01 reflects its “renewed commitment to making vulnerability disclosure to the civilian executive branch as easy conceptually as dialing 911.”
“This directive is different from others we’ve issued, which have tended to be more technical – technological – in nature,” he said. “At its core, BOD 20-01 is about people and how they work together.”