The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is updating its vulnerability disclosure policy and will seek public comments from industry and agency partners on the directive upon release, Federal News Network reported Thursday.
Jeanette Manfra, assistant director for cybersecurity at CISA, said the forthcoming directive is part of the agency’s effort to make fiscal year 2020 the “year of vulnerability management.”
Manfra said CISA has collaborated with the private sector and other agencies to seek insights on their vulnerability policies as it works on updating the directive.
“We’ve never done this before, but we have found that in all of our directive development, we’ve found a lot of value from experts outside of the government, in providing feedback on what to focus on, how to focus on it, and we want to really capture that,” she said Thursday at the Cybersecurity Coalition’s CyberNext D.C. conference.
The upcoming vulnerability disclosure policy will further build up the National Risk Management Center as a hub for cyber threat sharing and help improve the process for ethical hackers involved in the government’s bug-bounty initiatives and researchers to immediately alert agencies about previously unknown vulnerabilities.