Langevin Applauds Directive Requiring Federal Agencies to Have Vulnerability Disclosure Policies

Nov 27, 2019 Issues: Cybersecurity

Washington, DC -- Congressman Jim Langevin (D-RI), co-founder and co-chair of the Congressional Cybersecurity Caucus and a senior member of the House Committee on Homeland Security, issued a statement regarding the Cybersecurity and Infrastructure Security Agency’s (CISA) draft binding operational directive entitled: “Develop and Publish a Vulnerability Disclosure Policy.” Langevin has long supported vulnerability disclosure policies (VDPs) as a way to improve the Internet ecosystem, and legislation he authored with House Minority Leader Kevin McCarthy to require a VDP at the Department of Homeland Security was included in last year’s SECURE Technology Act.

“This is a banner day for federal agency cybersecurity. The Internet was not built with security in mind, and while it will never be 100 percent secure, this decision will go a long way toward enhancing our defenses. Vulnerability disclosure policies are the front door through which well-meaning security researchers can alert system owners about security problems in the configuration or the code of the software they’re using. From my visits to DEF CON and my time talking to the security research community, I know the important contributions these diverse individuals can make to improving our nation’s cybersecurity. What’s more, I recognize that most security researchers are looking for the right way to report the vulnerabilities they come across. CISA’s decision to require every agency to have a vulnerability disclosure policy is a major step forward in both increasing security and extending an open hand to a community that is on the front lines of securing our nation in cyberspace.

“Implementing this directive will take time, and I appreciate the glide path CISA has provided for agencies to move systems into scope. Agencies must recognize, however, that disclosure policies are long-standing practices with international standards on implementation and that they have a responsibility to move quickly to improve their remediation processes. Congress will need to conduct close oversight of the rollout of this directive to ensure every agency is taking advantage of the talented individuals looking to make the cyber ecosystem safer.

“Today’s directive would not have been possible without the leadership of CISA Director Chris Krebs. The directive builds on an Office of Management and Budget memorandum issued this morning and on important work done at the National Telecommunications and Information Administration and the National Institute of Standards and Technology to provide guidance on coordinated vulnerability disclosure. Vulnerability disclosure policies in government were pioneered at the Department of Defense, through the “Hack the Pentagon” program, and the General Services Administration, and both agencies deserve full credit for working with the Department of Justice to provide a scalable legal framework for the policies consistent with federal law.

“We all recognize that there is a talent shortage that is impeding our ability to improve federal cybersecurity. Today, we are stating clearly that the many security researchers around the country can and should help their country by reporting problems when they see them. We need their help – after all, the malicious actors in cyberspace aren’t going to give us a heads up when they find a vulnerability. I look forward to continuing my work to strengthen bonds with the security research community so that we can take advantage of their skills and make the Internet a safer place.”