CISA and OMB Release Guidance on Vulnerability Management for Federal Government Agencies

Yesterday the U.S. Department of Homeland Security Cybersecurity Agency (CISA) and the Office of Management and Budget released three documents providing guidance for how federal government agencies should manage vulnerabilities. The CISA guidance consists of a binding operational directive (BOD) that requires each federal agency to publish a vulnerability disclosure program (VDP) as well as implementation guidance. A VDP tells those who find flaws in an agency’s digital infrastructure where to send a report, what types of testing are authorized for which systems, and what communication to expect in response. CISA notes that publication of agency VDPs will make it easier for users to report vulnerabilities they find in the federal government’s internet-accessible systems. OMB, meanwhile, released the final vulnerability disclosure policy, detailing the overarching approach agencies should take to address new and long-standing cyber vulnerabilities. OMB said a VDP should address five areas, including a clear reporting mechanism, timely feedback and ensuring system owners know about problems found within 48 hours. CISA build on that part of the policy in the BOD and implementation guidance. Read more about the new guidance in a blog by CISA Assistant Director for Cybersecurity Brian Ware and an article from the Federal News Network.