Langevin Statement on Finalized Binding Operational Directive Requiring Agencies to Have Vulnerability Disclosure Policies

Sep 2, 2020 Issues: Cybersecurity

Warwick, R.I. – Congressman Jim Langevin (D-RI), a senior member of the House Committee on Homeland Security, a member of the Cyberspace Solarium Commission, and the co-founder and co-chair of the Congressional Cybersecurity Caucus, issued the following statement regarding the finalization of the Cybersecurity and Infrastructure Security Agency’s (CISA) Binding Operational Directive (BOD) 20-01, Vulnerability Disclosure Policies. The BOD was published in conjunction with a memorandum from the Office of Management and Budget (OMB) entitled “Improving Vulnerability Identification, Management, and Remediation.” Langevin and Republican Leader Kevin McCarthy submitted comments on the draft BOD and memorandum in January.

The following may be attributed to Congressman Langevin:

“When cybersecurity researchers find a flaw in software, they need to have some mechanism for reporting it so it can be fixed. I have long advocated for vulnerability disclosure policies that provide clear guidelines for such reporting, and, today, the federal government is taking an important step in normalizing them. CISA’s newly finalized Binding Operational Directive on vulnerability disclosure begins: ‘Cybersecurity is a public good that is strongest when the public is given the ability to contribute.’ I could not agree more. Assistant Director Bryan Ware and his team have done an absolutely terrific job with the vulnerability disclosure directive, which sets a new bar for cybersecurity leadership by the federal government. I fully expect state and local governments, private companies, and non-profits to use the directive and the corresponding OMB memorandum as models of how to effectively extend the hand of friendship to security researchers and protect their systems.

“When I first attended DEF CON in 2017, I promised to take what I learned from the security researchers there back to Washington. Time and again I have made the argument that we need to give well-meaning researchers trying to make the Internet safer a means of engaging with government. Thanks to the leadership of people like CISA Director Krebs and Republican Leader McCarthy, the federal government is starting a new chapter in its relationship with cybersecurity researchers. I look forward to continuing to strengthen that relationship, and I am ready to support agencies as they begin to implement this new directive.”