Office of Management and Budget
725 17th Street NW
Washington, D.C. 20503
Submitted electronically to ofcio@omb.eop.gov
The Cybersecurity Coalition (“Coalition”) submits this comment in response to the request for comment issued by the Office of Management and Budget (“OMB”) on November 27, 2019 regarding the draft memorandum titled, ‘‘Improving Vulnerability Identification, Management, and Remediation (“Draft Memorandum”).[1] The Coalition appreciates the opportunity to provide these comments and commends OMB for recognizing the importance of providing guidance to Federal agencies on the publication and implementation of Vulnerability Disclosure Policies (“VDPs”).
The Coalition is composed of leading companies with a specialty in cybersecurity products and services dedicated to finding and advancing consensus policy solutions that promote the development and adoption of cybersecurity technologies.[2] We seek to ensure a robust marketplace that will encourage companies of all sizes to take steps to improve their cybersecurity risk management. We are supportive of efforts to identify and promote the adoption of cybersecurity best practices, information sharing, and voluntary standards throughout the global community.
The Coalition applauds OMB for promoting the adoption of vulnerability disclosure policies ("VDP") and coordinated vulnerability disclosure (“CVD”) procedures in Federal agencies and fostering a baseline of government-wide CVD requirements. Policymakers and government bodies have key roles to play in driving broader adoption of CVD principles, especially by adopting CVD processes for government agencies and integrating CVD into cybersecurity guidance consistent with international standards and industry best practices.[3] The Coalition has taken the position that government agencies, at all levels, should be required to adopt an internal CVD program based on existing widely adopted, international standards, and is encouraged by OMB’s publication of government-wide actions and responsibilities.[4] CVD should already be a consideration for Federal agencies since CVD is a core practice in the NIST Cybersecurity Framework,[5] which agencies are directed to use for cyber risk management.[6]
The Coalition supports the designation of a civilian office to coordinate disclosure and communications of vulnerability information among multiple agencies. The Draft Memorandum provides that the Department of Homeland Security’s (“DHS”) Cybersecurity and Infrastructure Security Agency (“CISA”) will serve in this capacity. The Coalition supports much of CISA's draft Binding Operational Directive (BOD), and supports OMB's approach of requiring agencies to collaborate with CISA to improve the maturity, scope, and integration of agencies' VDPs, as well as further alignment with international standards.
Receiving, evaluating, and responding to vulnerability disclosures will require resources. The Coalition strongly urges OMB and Congress to work together to ensure agencies have access to adequate funding, workforce, and other resources necessary to successfully implement their VDPs. To prepare for implementation, agencies should also be encouraged to proactively scan their internal assets as soon as possible, mitigate high priority vulnerabilities, and ensure their vulnerability management processes are effective.
The Coalition appreciates that both OMB's Draft Memorandum references a widely-adopted international standard on CVD.[7] While this reference to the standards is helpful, the Coalition recommends that OMB explicitly urge agencies to align their vulnerability disclosure and handling practices with ISO/IEC 29147 (2018) and ISO/IEC 30111 (2019) to the degree practical. This includes minimizing the involvement those that handle vulnerability information, including at DHS and relevant agencies, to only those essential to mitigation development, as well as not mandating (and allowing for flexibility on) timelines for mitigation development, as recommended under international standards .Alignment with international standards is crucial to set consistent expectations and strengthen norms around vulnerability disclosure and handling, especially as some countries consider regulations that deviate sharply from those standards.[8]
The Draft Memorandum encourages Federal agencies to take affirmative steps to establish an initial VDP as a baseline for accepting reports from researchers. To streamline the disclosure process for vulnerability reporters, the Coalition recommends that each department and agency have its own public-facing channel to receive vulnerabilities (i.e., security@interior.gov, security@gsa.gov, etc.).[9]
Furthermore, as part of OMB's goal that agencies have clearly worded VDPs, it should be made clear that an agency’s VDP applies only to that agency’s internet-accessible systems or services, rather than those that belong to others.[10] The CVD program should make clear that the public-facing channel for disclosures is not intended to also cover security flaws in the systems of other, non-government entities. The agency will need a process to refer disclosures of vulnerabilities that belong to other, non-government entities to the affected organization, or to direct the reporter to do so.[11] This is consistent with international standards and industry-wide adopted CVD best practices, in which external discoverers of a vulnerability are encouraged to report the relevant information to the potentially impacted manufacturer, developer, or owner of the technology at hand, who is best positioned to lead the coordination and mitigation efforts.[12]
Finally, the Coalition supports the decision of OMB and CISA to decline requiring agencies to implement bug bounty programs. The Coalition urges OMB to continue this approach of requiring agencies to adopt VDPs while providing agencies with flexibility regarding whether to adopt bug bounty programs. The Coalition believes it is crucial for agencies to have foundational VDP and CVD processes in operation as part of agencies' internal cybersecurity risk management programs – regardless of whether the agency adopts a bug bounty program.[13] The Draft Memorandum notes that OMB will convene partner agencies to evaluate the effectiveness of leveraging bug bounty programs for agencies. As part of this evaluation, the Coalition urges OMB and its partners to avoid a requirement that agencies adopt bug bounty programs, and instead to prioritize agencies' own baseline capabilities to receive, evaluate, mitigate, and communicate about vulnerabilities, rather than outsource too much of the process to bug bounty programs.
The Coalition appreciates OMB’s efforts to incorporate the larger cybersecurity community into the protection of Federal information assets and systems. As OMB continues to develop policies and standards around vulnerability disclosure, the Coalition looks forward to serving as a resource concerning both technical and policy questions.
We appreciate your interest in this area and would welcome further collaboration moving forward.
Sincerely,
Ari Schwartz
Executive Coordinator
[1] Office of Management and Budget, Request for Comments on Improving Vulnerability Identification, Management, and Remediation, 84 FR 65424, Nov. 27, 2019, https://www.govinfo.gov/content/pkg/FR-2019-11-27/pdf/2019-25715.pdf. See also Office of Management and Budget, draft memorandum, Improving Vulnerability Identification, Management, and Remediation, Nov. 27, 2019, https://policy.cio.gov/vdp-draft.
[2] The views expressed in this comment reflect the consensus views of the Coalition and do not necessarily reflect the views of any individual Coalition member. For more information on the Coalition, see www.cybersecuritycoalition.org.
[3] Cybersecurity Coalition, Policy Priorities for Coordinated Vulnerability Disclosure and Handling, Feb. 25, 2019, pgs. 9-11, https://www.cybersecuritycoalition.org/policy-priorities.
[4] Id.
[5] National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity version 1.1, RS.AN-5, pg. 42, Apr. 16, 2018, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
[6] White House, Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, Sec. 1(c)(ii), May. 11, 2017, https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure.
[7] Endnote 1 of the Draft Memorandum references ISO/IEC 29147 (2018).
[8] See comments of the Cybersecurity Coalition and the Cyber Threat Alliance, Cybersecurity Vulnerabilities Administrative Regulation, Jul. 17, 2019, https://www.cybersecuritycoalition.org/cybersecurity-vulnerabilities.
[9] See DotGov, Domain security best practices, Add a security contact, https://home.dotgov.gov/management/security-best-practices (last accessed Feb. 22, 2019).
[10] See, for example, US Department of Defense, DoD Vulnerability Disclosure Policy, Scope, Nov. 21, 2016, https://hackerone.com/deptofdefense. "Scope: Any public-facing website owned, operated, or controlled by DoD, including web applications hosted on those sites. [...] To the extent that any security research or vulnerability disclosure activity involves the [assets] of a non-DoD entity[...], that non-DoD third party may independently determine whether to pursue legal action or remedies related to such activities."
[11] The CISA draft BOD includes partial guidance on this point. The Coalition recommends OMB and CISA guide agencies to encourage vulnerability reporters to disclose directly to the vendor of impacted third party products or services that the agency uses, when possible.
[12] ISO/IEC 30111 (2019) Section 7.2.4 Remediation development (“The vendor develops and performs appropriate tests to ensure the vulnerability issue has been addressed on all supported platforms”). See also Section 5.6.3 ISO/IEC 29147 (2018) (“A reporter identifies potential vulnerabilities in products or services and notifies the vendor”).
[13] Cybersecurity Coalition, Policy Priorities for Coordinated Vulnerability Disclosure and Handling, Feb. 25, 2019, pgs. 6-8, https://www.cybersecuritycoalition.org/policy-priorities. See also Harley Geiger, Prioritizing the Fundamentals of Coordinated Vulnerability Disclosure, Rapid7, Oct. 31, 2018, https://blog.rapid7.com/2018/10/31/prioritizing-the-fundamentals-of-coordinated-vulnerability-disclosure.