Over the last few years, government agencies like the U.S. Department of Defense have been crowdsourcing their cybersecurity and tapping into the knowledge of security researchers.
Now, federal civilian agencies are moving that same direction.
The Cybersecurity and Infrastructure Security Agency (CISA) has announced its new Vulnerability Disclosure Policy (VDP) Platform, which will be a service to Federal Civilian Executive Branch (FCEB) agencies.
FCEB agencies will now be able to communicate effectively with the public hacker community, allowing them to identify and monitor vulnerabilities in critical systems.
This further develops CISA's Binding Operational Directive (BOD) 20-01, which requires all FCEB agencies to develop and publish a VDP.
CISA says the platform "aims to promote good faith security research, ultimately resulting in improved security and coordinated disclosure across the federal civilian enterprise."
How will CISA's VDP platform work?
The platform is anticipated to be a software-as-a-service application that will be the main point of entry for vulnerability reporters and will alert other participating agencies of problems.
Here is a visual display from CISA of how the platform will work:
And here is how it describes the role of each player on the platform:
- "Vulnerability Reporters: utilize this Platform as a central place to report vulnerabilities in federal systems of participating agencies."
- "Platform Service Provider: provides screening and initial triage of
submissions, validating which appear to be legitimate."
- "CISA: maintains insight into disclosure activities but does not actively participate in each disclosure remediation process. CISA will have read-only access to all agency reports to view aggregate statistical data and reports."
- "Your Agency: maintains a separate profile in the Platform. By logging into the Platform interface, agency users can see an agency dashboard with the list of submissions and general statistics."
Benefits of CISA's VDP platform
The primary goal of this platform is to encourage collaboration and information sharing between the public and private sectors.
This is a point the Biden Administration has made with its recent Executive Order, asking people to share any relevant cybersecurity information related to the recent string of ransomware attacks.
CISA claims that there are three major benefits to the platform, which are:
- "Compliance with Federal Requirements: The Platform will be centrally managed by CISA's Cybersecurity Quality Services Management Office (Cyber QSMO), which will ensure the Platform meets all relevant government-wide standards, policy, and business requirements."
- "Reduced Agency Burden: The Platform service provider will host and manage the Platform, including administrative responsibilities, user management, and support. The service will include basic assessing of vulnerability reports submitted, enabling agencies to focus on those reports that have real impact."
- "Improved Information Sharing Across Federal Enterprise: By allowing CISA to maintain insight into disclosure activities, the Platform will increase the sharing of vulnerability information across agencies."
CISA partners with Bugcrowd and Endyna for VDP platform
To make the VDP platform as effective as it can be, CISA has teamed up with Bugcrowd, a crowdsourced cybersecurity company, and Endyna, a government contractor that provides technology-based solutions.
Here is Ashish Gupta, CEO and President of Bugcrowd, on the need for this platform:
"As seen in the commercial and defense sectors, crowdsourced cybersecurity and vulnerability disclosure programs are a critical safeguard in helping reduce the risk of breach."
CISA says that any agency interested in participating or receiving additional information about the platform should contact the Cyber QSMO at QSMO@hq.dhs.gov.