DHS issues draft order requiring agencies to bolster cybersecurity

The Department of Homeland Security’s (DHS) cybersecurity agency on Wednesday issued a draft order that would require federal agencies to increase protections against cyber vulnerabilities.

The Cybersecurity and Infrastructure Security Agency (CISA) asked for public comment on a draft directive requiring government agencies to develop and publish cyber vulnerability disclosure policies.

“A vulnerability disclosure policy facilitates an agency’s awareness of otherwise unknown vulnerabilities,” CISA wrote in the draft order. “It commits the agency to authorize good faith security research and respond to vulnerability reports, and sets expectations for reporters.”

CISA noted that many federal agencies do not have established procedures to receive and address information about vulnerabilities from third-party companies or individuals. The absence of such standards could “create an environment that delays or discourages the public from reporting potential information security problems to the government,” CISA said.

The cyber agency emphasized that the order would “enhance the resiliency of the government’s online services by encouraging meaningful collaboration between federal agencies and the public.”

If the order goes into effect, agencies would have 180 days to publish their vulnerability disclosure policies.

The agency gave the public a Dec. 27 deadline to submit comments, marking the first time CISA has requested comments on this kind of directive.

“We want to hear from people with personal or institutional expertise in vulnerability disclosure,” Jeanette Manfra, the assistant director of cybersecurity at CISA, wrote in a separate blog post on Wednesday.

Manfra added that “in seeking public comment, we’re also nodding to the fact that, to our knowledge, a requirement for individual enterprises to maintain a vulnerability disclosure policy has never been done before, and certainly not on this scale.”

CISA previously issued orders requiring federal agencies to increase email security, secure high-value assets and remove products from Kaspersky Labs from federal networks due to concerns that the company was a Russian asset.