The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has released a draft binding operational directive that would require federal agencies to have a vulnerability disclosure policy.
Jeanette Manfra, assistant director for cybersecurity at CISA, wrote in a blog post published Wednesday the draft directive would direct each agency to publish a VDP and maintain handling procedures and add at least one system or service to the scope of an agency’s VDP every 90 days.
The Office of Management and Budget also issued a draft policy that would require all federal agencies to publish a VDP within 180 days; come up or update their internal vulnerability handling procedures to meet CISA requirements within 180 days; and use the quarterly Federal Information Security Modernization Act reporting to comply with the requirements.
Under the draft OMB policy, CISA will work with the National Institute of Standards and Technology and the Department of Justice to publish within 60 days immediate measures agencies should take to integrate VDPs into their data security programs. CISA is also required to issue a federal-wide implementation and strategic plan within 150 days to address challenges associated with vulnerability reporting and remediation.
Interested stakeholders have until Dec. 27 to comment on the two draft policies.