The Department of Homeland Security announced Tuesday that it will partner with vulnerability disclosure platform Bugcrowd and government technology, environmental and safety services contractor EnDyna to provide a civilian agency vulnerability disclosure program platform.
Under September's Binding Operational Directive (BOD) 20-01, DHS ordered all civilian agencies to develop vulnerability disclosure programs. Federal agencies are expected to have all internet-facing systems covered by the program by September 2022.
“A key component of any organization’s cybersecurity program should be a transparent and clear way for security researchers to report vulnerabilities, which is why CISA issued a directive last year to require federal civilian executive branch agencies to implement a vulnerability disclosure policy," said Eric Goldstein, Cybersecurity and Infrastructure Security Agency executive assistant director for cybersecurity. "As we work to raise the baseline of cybersecurity across the executive branch, CISA will continue to work with federal agencies to ensure they have the support they need to strengthen their cybersecurity operations, including by quickly identifying and mitigating vulnerabilities."
CISA's vulnerability disclosure platform will be run through the agency's Cybersecurity Quality Services Management Office.
Ashish Gupta, CEO of Bugcrowd, told SC Media that the announcement might increase usage of Bugcrowd's services in local and international government.
"We actually have multiple different governments that are using our platform already, " Gupta said. "In addition to that, after this announcement goes out, I have a feeling there'll be a tremendous number of governments that will be interested, because it basically sets the standard."
One pitfall Gupta expects federal agencies to contend with after the announcement is restructuring to handle the workflow from disclosure programs.
"The key point here is that you now get an army of humans who are very motivated, ethical researchers who are going to provide you a lot of input. So what agencies need to know is that this input is going to come," he said. "This is going to require resources."
Disclosure programs are no longer the radical security strategy they were when the Department of Defense launched "Hack the Pentagon" in 2016, said Gupta, and developing disclosure programs in civilian agencies puts the federal government in line with what is more or less standard practice in well-defended organizations.
"This is a new requirement that has been accepted, and it's been accepted in the enterprises for years and years and years," he said. "We've got hundreds of vulnerability disclosure programs with hundreds and hundreds of customers that are doing this on a day to day basis."
Beyond CISA, annual defense authorization legislation included a provision that requires the secretary of defense to deliver a report by September, laying out the feasibility of a DoD-led threat hunting program that focuses on identify and rooting out cybersecurity vulnerabilities in the systems and networks of defense contractors. If that report is favorable to the idea, DoD officials plan to have such a program in place by 2022. Earlier this month, the Intelligence and National Security Alliance, a non-profit professional organization for intelligence and national security personnel, issued seven different recommendations for how such a program might be set up.