Updated: Sep 8, 2020
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) recently published its finalized Binding Operational Directive (BOD) requiring federal civilian executive branch agencies to develop and publish a vulnerability disclosure policy (VDP) as well as maintain the supporting management procedures. Basically, the government is providing a directive and guidance to create a channel for third-party researchers to report potential security vulnerabilities to federal agencies – government-wide, “If you see something, say something” about cyber security. Or, as a CISA blog post put it, a federal cyber 911 system. Additionally, the White House Office of Management and Budget provided federal agencies guidance for obtaining and managing their vulnerability research programs.
This is all great! Except it’s going out of order for sustainable success. You can’t just throw a point of contact up to solicit vulnerability reports from the public with no process behind it and expect good security as a result.
It would be like globally advertising your great uncle’s contest-winning BBQ, without helping him first create an industrial kitchen to scale to the new unpredictable spike in public demand for his smoky goodness. But someone must prep the food, tend the smoker, and keep everything coming out fully cooked to prevent customers from receiving a lot of half-baked, mediocre mitigation meals.
Unfortunately, it’s definitely a concern that the final directive does not require agencies to assess and build out their security operational capacity before implementing a VDP. To that end, my colleagues and I detailed our concerns during the comment period.
It’s important to remember that VDPs are not a one-size fits all approach. What works for an organization when performing regular vulnerability management hygiene, such as applying patches to their own systems when available, doesn’t usually translate to scalable capabilities for a VDP. This might lead agencies to believe setting up a VDP or bug bounty on a commercial platform would be the easiest way to comply with the directive, and this misconception is where we begin to see red flags flying and hear a voice saying, “danger, Will Robinson!”
Vulnerability disclosure and bug bounty programs can be useful tools for organizations, depending on their capabilities and organizational needs, but managing vulnerabilities and improving security goes well beyond receiving bug reports. Same as advertising an emergency phone number like 911 with no operators, ambulances, firetrucks, and all requisite staffing and dispatch behind it – this won’t end well if rolled out in this order.
That’s why agencies must assess several important factors and processes to understand their operational capacity and maturity. A solid first step is benchmarking their capabilities and identifying and prioritizing the areas that need improvement by using the Vulnerability Coordination Maturity Model (VCMM). The VCMM helps organizations measure and evolve their vulnerability management capabilities.
The VCMM provides a framework to evaluate five key areas, and by assessing these internal process areas, agencies will understand their preparedness to respond to vulnerability reports and act on them, enhance their abilities for responding to reports, and create a plan for improving their vulnerability coordination and overall security moving forward.
The good news is that agencies do not have to shoulder the burden alone, but beware of organizations telling you that they can “fully manage” a VDP or bug bounty program when all they really do is provide a ticketing system and some basic triage.
Would your great uncle fall for someone telling them that an online ordering portal would solve his kitchen BBQ order scale problem? Would a national 911 service work if there were only operators standing by, with no emergency responders or equipment?
Even though this BOD for VDP idea doesn’t include all the ingredients for success, we can work together to address the issues this directive presents by taking a logical look at both ISO standards (29147 and 30111) and addressing the gaps in people, process, and tools for VDPs.
Not sure where to begin? Whether you’re a federal agency, an election authority, or anyone looking for expert guidance on how to prepare for a VDP (from the same company that advised the U.S. DoD and UK NCSC on how to create their successful VDPs), download a free copy of the Vulnerability Coordination Maturity Model. If you have questions on how to put the VCMM to work for you, we’re here in the BBQ pit, mixing the spice rub to help everything turn out well.
Afterwards, we can all kick back and crack open a beverage of our choice, knowing the kitchen is stocked, the smokers are primed, and the cooks are ready for us all to come together and BBQ some serious bugs.