DHS officials are mulling the release of a Binding Operational Directive to compel civilian federal agencies to get their security houses in order, typically on a tight deadline. The move would be a blunt response to the lack of federal progress on Vulnerability Disclosure Programs. Programs to allow outside experts to report cybersecurity problems are commonplace in the private sector, but less than 10 civilian agencies have VDPs in place, according to the Cybersecurity and Infrastructure Security Agency.
A draft BOD has reportedly been in the works for months. It outlines key principles that every agency’s VDP should have, including legal protections for researchers who report bugs, expectations for how agencies will move to fix those bugs, and the scope of agency assets that a program should cover. One proposal on the table is for CISA to set up a central portal that would allow other agencies to receive vulnerability reports from researchers.