December 26, 2019

Comments to the Department of Homeland Security on the Cybersecurity and Infrastructure Security Agency's Binding Operational Directive 20-01 (Draft), "Develop and Publish a Vulnerability Disclosure Policy"

Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
245 Murray Lane
Washington, D.C. 20528

Submitted electronically to bod.feedback@cisa.dhs.gov

Re: Draft of Binding Operational Directive on Developing a Vulnerability Disclosure Policy

The Cybersecurity Coalition (“Coalition”) submits this comment in response to the request for comment issued by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) on November 27, 2019, titled “Binding Operational Directive 20-01 (draft), Develop and Publish a Vulnerability Disclosure Policy.”  (The “BOD”). The Coalition appreciates the opportunity to provide these comments and commends CISA for providing guidance to Federal agencies on the development and implementation of vulnerability disclosure policies and vulnerability disclosure handling procedures. The Coalition further commends CISA for soliciting public commentary on the Binding Operational Directive.

The Coalition is composed of leading companies with a specialty in cybersecurity products and services dedicated to finding and advancing consensus policy solutions that promote the development and adoption of cybersecurity technologies.[1]  We seek to ensure a robust marketplace that will encourage companies of all sizes to take steps to improve their cybersecurity risk management.  We are supportive of efforts to identify and promote the adoption of cybersecurity best practices, information sharing, and voluntary standards throughout the global community.

The Coalition applauds CISA for promoting the adoption of vulnerability disclosure policies ("VDP") and handling procedures in Federal agencies and providing guidance on the development and implementation of vulnerability disclosure policies.  Policymakers and government bodies have key roles to play in driving broader adoption of coordinated vulnerability disclosure (“CVD”) principles, especially by adopting CVD processes for government agencies and integrating CVD into cybersecurity guidance consistent with international standards and industry best practices.[2] The Coalition has taken the position that government agencies, at all levels, should be required to adopt an internal CVD program based on existing, widely adopted, international standards.[3]  CVD should already be a consideration for Federal agencies since CVD is a core practice in the NIST Cybersecurity Framework,[4] which agencies are directed to use for cyber risk management.[5]

Receiving, evaluating, and responding to vulnerability disclosures will require resources. The Coalition urges CISA, OMB, and Congress to work together to ensure agencies have access to adequate funding, workforce, and other resources necessary to successfully implement their VDPs and CVD processes.  To prepare for implementation, agencies should also be encouraged to proactively scan their internal assets as soon as possible, mitigate high priority vulnerabilities, and ensure their vulnerability management processes are effective.

The Coalition supports the phase-in approach to the scope of the VDP, as well as the goal of bringing agencies' internet-accessible assets within scope of the VDP. However, we recognize that some agencies may face challenges in applying the VDP requirement to all such assets within two years.  We encourage CISA to be responsive to such concerns and provide agencies with flexibility on the timeline for expanding the scope of their VDPs to ensure the pace of expansion is assertive yet proportionate to agencies' skill levels and resources.

The Coalition appreciates that the BOD references widely-adopted international standards on  CVD – ISO/IEC 29147 (2018) and ISO/IEC 30111 (2019) – as key normative sources.[6] While this reference to the standards is helpful, the Coalition recommends that CISA explicitly urge agencies to align their vulnerability disclosure and handling practices with the ISOs to the degree practical. Alignment with international standards is crucial to set consistent expectations and strengthen norms around vulnerability disclosure and handling, especially as some countries consider regulations that deviate sharply from those standards.[7]

The Coalition urges CISA to clarify that the BOD does not require a deadline for agencies to mitigate vulnerabilities.  The draft BOD directs agencies to set timelines for mitigation of disclosed vulnerabilities, and recommends agencies set the timeline for 90 days or less.[8]  The BOD further suggests, in the implementation guide, that agencies should “specify a target time for resolution, in days.”[9]  It is appropriate for agencies to have a general internal guidelines and target time for mitigation, and to work to improve on that time in the long term. However, a fixed deadline should not apply in all circumstances, as evaluation and mitigation of some vulnerabilities may be too complex to meet the deadline, as the BOD recognizes in footnote 23.[10] Missing an artificial deadline may result in unmet expectations and loss of trust with vulnerability reporters, and potentially prompt premature public disclosure of un-mitigated vulnerabilities that creates additional risks of exploitation. CISA should explicitly guide agencies to clarify in their VDP documentation that the target deadline is not applicable to circumstances that require a longer timeline to mitigate.

International standards do not recommend specific mitigation timeframes, but that vendors should balance the need to develop remediation as soon as possible ‘with the overall testing required to ensure the remediation does not negatively impact affected users due to quality issues’ - meaning the completeness and effectiveness of the proposed mitigation.[11]  The Coalition recommends CISA further align the BOD with international standards and clarify that agencies should apply mitigations as quickly as possible and in reasonable timeframes, taking into consideration the completeness and effectiveness of the proposed mitigation, as well as the severity of the vulnerability, but do not mandate or support specific and targeted timeframes. This aligns with the VDP language proposed by the BOD (asking the report to: “[p]rovide us a reasonable amount of time to resolve the issue before you disclose it publicly”).[12]

International standards require minimizing those that handle vulnerability information, including at DHS and relevant agencies, to only those essential to mitigation development. Adequate processes and protections should be put in place to maintain the confidentiality of the information and limit the circulation of information to entities not essential to mitigation development, in line with international standards.

Lastly, under international standards and industry-wide adopted CVD best practices, external discoverers of a vulnerability are encouraged to report the relevant information to the potentially impacted manufacturer, developer, or owner of the technology at hand, who is best positioned to lead the coordination and mitigation efforts.[13] Consistent with these standards and best practices, the BOD should suggest that agencies' VDPs encourage vulnerability reporters to disclose directly to the vendor of impacted third party products or services that the agency uses, when possible.[14]  This will help ensure the vendor, who is best-positioned to lead the mitigation development process, is made aware of the vulnerability quickly and avoid relying solely on the agency to do so.

The Coalition appreciates CISA’s efforts to incorporate the larger cybersecurity community into the protection of Federal information assets and systems.  As CISA continues to develop policies and standards around vulnerability disclosure, the Coalition looks forward to serving as a resource concerning both technical and policy questions.

Sincerely,


Ari Schwartz

Executive Coordinator

[1] The views expressed in this comment reflect the consensus views of the Coalition and do not necessarily reflect the views of any individual Coalition member. For more information on the Coalition, see www.cybersecuritycoalition.org.

[2] Cybersecurity Coalition, Policy Priorities for Coordinated Vulnerability Disclosure and Handling, Feb. 25, 2019, pgs. 9-11, https://www.cybersecuritycoalition.org/policy-priorities

[3] Id.

[4] National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity version 1.1, RS.AN-5, pg. 42, Apr. 16, 2018, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.

[5] White House, Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, Sec. 1(c)(ii), May. 11, 2017, https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure.

[6] According to the Binding Operational Directive 20-01 November 27, 2019 (draft): “International standards ISO 29147 (vulnerability disclosure) and ISO 30111 (vulnerability handling processes) are high quality normative resources. As vulnerability disclosures can come from anyone across the globe, aligning with international best practices minimizes potential friction”.

[7] See comments of the Cybersecurity Coalition and the Cyber Threat Alliance, Cybersecurity Vulnerabilities Administrative Regulation, Jul. 17, 2019, https://www.cybersecuritycoalition.org/cybersecurity-vulnerabilities.

[8] See CISA draft BOD: " b) Set target timelines for and track: iii. Resolution of vulnerabilities, including notification of the outcome to the reporter." See also, footnote 23: CISA recommends no more than 90 days from the receipt of the report... Complex situations, including those that involve multi-party coordination, might require additional time."

[9] See CISA draft BOD: "For instance, a policy ought to: ...Specify a target time for resolution, in days."

https://cyber.dhs.gov/bod/20-01/#implementation-guide

[10] International Standards recognize that the time needed to develop, test, and deploy mitigations in a manner that will incentivize adoption by end users varies according to the technology and vulnerability. In certain complex environments, the mitigation of vulnerabilities may require taking action at multiple and interdependent layers of the system (i.e. multi-party CVD) to validate the vulnerability, develop and test the mitigations in various environments, and effectively deliver the mitigations to end-users. See Center for Cybersecurity Policy and Law, Improving Hardware Component Vulnerability Disclosure (2019), available at https://centerforcybersecuritypolicy.org/improving-hardware-component-vulnerability-disclosure. See also FIRST, Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure, available at https://first.org/global/sigs/vulnerability-coordination/multiparty/guidelines-v1.0.

[11] See ISO/IEC 30111 (2019), Section 7.2.5 (Remediation Development): ‘When determining the best remediation, the vendor should attempt to balance the need to create a remediation quickly, with the overall testing required to ensure the remediation does not negatively impact affected users due to quality issues.’ See also Section 7.2 with respect to vulnerability handling phases monitoring.

[12] CISA VDP template: https://cyber.dhs.gov/bod/20-01/vdp-template

[13] ISO/IEC 30111 (2019) Section 7.2.4 Remediation development (“The vendor develops and performs appropriate tests to ensure the vulnerability issue has been addressed on all supported platforms”). See also Section 5.6.3 ISO/IEC 29147 (2018) (“A reporter identifies potential vulnerabilities in products or services and notifies the vendor”).

[14] The draft BOD implementation guide suggests that agencies direct reporters to disclose vulnerabilities to vendors of third party products when the reporter approaches an agency due to a perceived regulatory role. However, when the disclosure concerns a vulnerability in a third party service that the agency uses, the draft BOD does not suggest that agencies encourage reporters to disclose to the vendor in addition to the agency.