Turan Ramazanli | Shutterstock

The Cybersecurity and Infrastructure Security Agency issued a draft directive in November to require civilian agencies to work with security researchers to find vulnerabilities on their websites. Representative Jim Langevin (D-RI) says that directive is now final and being coordinated with OMB, who will release their policy first.

OMB’s draft policy requires agencies to establish vulnerability disclosure policies within 180 days of a final memo being issued. CIOs will be held responsible, and should coordinate with CISA in maturing agency policies. CISA’s directive includes suggested legal language and timelines for responding to security researchers’ reports, and resolving them.

More at NextGov