CISA still working with some agencies to fully follow federal vulnerability disclosure policy rules

A small number of federal agencies are still working with CISA on fully following rules concerning vulnerability disclosure requirements.
CISA, DHS, Department of Homeland Security, RSA 2019
The DHS and CISA booth at the 2019 RSA conference in San Francisco. (Scoop News Group photo)

According to the Cybersecurity and Infrastructure Security Agency, all of the 101 federal civilian agencies impacted by a 2020 directive instructing them to publish vulnerability disclosure policies — a formalized method of discovering cybersecurity vulnerabilities with the help of the public — have now done so.

More than 93 percent of these agencies have “fully implemented directive requirements to ensure that all systems are in-scope for vulnerability disclosure,” Mike Duffy, the associate director at CISA within the Department of Homeland Security, told FedScoop this week.

According to VDP metrics that agencies started reporting in July 2021, these policies have helped mitigate more than 3,000 vulnerabilities, he added. 

“CISA’s Binding Operational Directive 20-01 established the federal government’s standard for vulnerability disclosure policies (VDPs), drove the development and rapid integration of VDPs within agency vulnerability management programs, and advanced the government’s coordination with the security researcher community by increasing researcher awareness and accessibility in support of our mission to reduce cybersecurity risk,” explained Duffy. 


CISA is still working with a small number of agencies to broaden the systems covered by their VDPs and fully meet the requirements of the directive, Binding Operational Directive 20-01. That BOD told federal agencies that “[a]ll internet-accessible systems or services must be in scope of your policy” by September 2022, according to a web version of the directive.

CISA has a team focused specifically on ensuring compliance with the agency’s directives and is also working with agencies to help them optimize their use of VDPs, as well as taking other cybersecurity steps. 

“It’s actually more than just a start. It represents a lot of progress,” Ilona Cohen, chief legal and policy officer at HackerOne, told FedScoop.

VDPs are relatively efficient and cost-effective, she added, and their use within the federal government has been ramping up over the past several years. In the aftermath of the 2015 OPM breach, federal agencies — starting with the Pentagon — began exploring new strategies for improving the federal government’s cybersecurity. Every administration has taken steps in support of VDPs since.

Notably, many of the reports that have been filed through federal agencies went through CISA’s own VDP platform. Last week, the agency published its first-ever annual report on the system, which is now being used by 40 agency programs.  


Earlier this month, Rep. Nancy Mace, R-S.C., proposed legislation that would encourage federal contractors to adopt VDP, too. That proposal was also supported by HackerOne.

Latest Podcasts