In a request for information released late December, the agencies asked industry for feedback on how to set up a system that could serve as a primary point of entry for security researchers warning about bugs in their internet-accessible systems.
“The Department of Homeland Security and the General Services Administration want to know what it would take to develop a cloud-based centralized vulnerability disclosure platform for the federal government.
While the platform would be managed by the Cybersecurity and Infrastructure Security Agency at DHS, agencies might have to kick in some of their own funding and participation would be voluntary. CISA is looking at a centralized software-as-a-service platform that can track incoming submissions, validate each report for legitimate bugs while filtering out errant ones, enable web-based communication between the reporter and agency during remediation efforts and allow agencies to create separate role-based accounts for their main organization and component agencies.
While federal civilian and military systems are often riddled with bugs, the document points out that the system could be beneficial to many agencies that will likely be starting vulnerability disclosure management from scratch.
“Most federal agencies currently lack a formal mechanism to receive information from third parties about potential security vulnerabilities on their systems,” the RFI notes. “Many agencies have no defined strategy for handling reports about such issues shared by outside parties. Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith are authorized.”
The platform would also track a number of metrics around each agency’s disclosure program, such as the number of reports submitted, number of valid vulnerabilities identified and the median time needed to respond, validate and mitigate issues. Automatic alerts would be sent out to all parties as different stakeholders complete their tasks, and the web application would allow CISA to intervene in instances where the affected agency is unknown or unresponsive to a pending bug.
The RFI overlaps with a request from CISA for feedback from security researchers on a draft Binding Operational Directive that would compel civilian agencies to set up their own vulnerability disclosure programs.
Some security researchers have expressed concerns around legal protections and how easy it would be to contact and communicate with affected agencies. Over the years internal audits by the Government Accountability Office and agency inspectors general have found hundreds of security vulnerabilities and spotty patch management practices for U.S. weapons systems, airport screening systems, the electrical grid, unclassified nuclear systems and a host of other critical IT systems managed by the federal government.”