About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

1 1 (September 8, 2020)

handle is hein.crs/govdbro0001 and id is 1 raw text is: Researh Sevice Cybersecurity: Recent Policy and Guidance on Federal Vulnerability Disclosure Programs September 8, 2020 The Trump Administration has released policy and guidance on vulnerability disclosure programs (VDP) for federal agencies. VDPs help organizations secure their information technology (IT) by allowing the public to discover and report weaknesses in systems in the hope that the organization will mitigate the vulnerabilities. Vulnerabilities can be exploited by malicious actors to compromise systems, which may lead to data breaches. On September 2, 2020, the Office of Management and Budget (OMB) released Memorandum M-20-32 on Improving Vulnerability Identification, Management, and Remediation and the Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive 20-01 (BOD) to Develop and Publish a Vulnerability Disclosure Policy. Policies Memorandum M-20-32 establishes the policy of a federal VDP and agency responsibilities. The memorandum states that a VDP includes traditional vulnerability disclosure policies (i.e., an open program where the public can find vulnerabilities in IT systems), bug-bounty programs (i.e., a program in which public and vetted researchers are paid to find vulnerabilities), and penetration testing (i.e., a private program where researchers are hired to discover ways to attack systems). M-20-32 states federal agencies shall: * Create plain-language VDP policies that articulate which systems are in bounds for research and what activities researchers may perform to discover vulnerabilities. * Declare that good-faith research (as opposed to probing for malicious purposes) is authorized; assuring that the agency will not pursue legal action against the researcher. * Create a reporting mechanism for identified vulnerabilities. * Create a process for timely agency feedback to researchers on report status. * Create a process to inform agency system owners of reported vulnerabilities. * Separate reporting metrics on VDP use from reporting on cybersecurity incidents. Congressional Research Service https://crsreports.congress.gov IN11497 CRS NStGHT Prpred For Meumbers and Comrm ttees of Conress ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most