Cyber Guidance on VDPs for Federal Agencies and Contractors
WHY IT MATTERS
The Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a Binding Operational Directive (BOD) guiding federal agencies on how to set up their vulnerability disclosure programs.
Federal government contractors are participants in the security process because they pose their own set of cyber vulnerabilities.
Why? A contractor’s employee may unwittingly grant a hacker access into the company’s network. The knock-on effect could be access to an even larger network – a federal agency’s network.
What is the solution? Federal government contractors need a holistic cyber risk management plant in place.
A holistic cyber risk management consists of cybersecurity awareness, cybersecurity measures, and comprehensive Stand-Alone Cyber Insurance.
Vulnerability Disclosure Programs (VDPs)
The OMB and CISA are taking proactive steps by issuing new guidance to federal agencies via a BOD.
Binding Operational Directive 20-01 (BOD-20-01)
The actions of this directive have been developed to be in harmony with other federal agencies’ frameworks, international standards, and best practices.
“Cybersecurity is a public good that is strongest when the public is given the ability to contribute. A key component to receiving cybersecurity help from the public is to establish a formal policy that describes the activities that can be undertaken in order to find and report vulnerabilities in a legally authorized manner. Such policies enable federal agencies to remediate vulnerabilities before they can be exploited by an adversary – to immense public benefit. Vulnerability disclosure policies enhance the resiliency of the government’s online services by encouraging meaningful collaboration between federal agencies and the public. They make it easier for the public to know where to send a report, what types of testing are authorized for which systems, and what communication to expect. When agencies integrate vulnerability reporting into their existing 2 cybersecurity risk management activities, they can weigh and address a wider array of concerns. This helps safeguard the information the public has entrusted to the government and gives federal cybersecurity teams more data to protect their agencies. Additionally, ensuring consistent policies across the Executive Branch offers those who report vulnerabilities equivalent protection and a more uniform experience.”
BOD-20-01 seeks to clarify the difference between a VDP and a Bug Bounty:
“A key benefit of a vulnerability disclosure policy is to reduce risk to agency infrastructure and the public by incentivizing coordinated disclosure so there is time to fix the vulnerability before it is publicly known. A VDP is similar to, but distinct from, a “bug bounty.” In bug bounty programs, organizations pay for valid and impactful findings of certain types of vulnerabilities in their systems or products. A financial reward can incentivize action and may attract people who might not otherwise look for vulnerabilities. This may also result in a higher number of reports or an increase in low-quality submissions. Organizations engaged in bug bounties will frequently use third-party platforms and service vendors to assist in managing and triaging bug reports. Bug bounties may be offered to the general public or may only be offered to select researchers or those who meet certain criteria. While bug bounties can enhance security, this directive does not require agencies to establish bug bounty programs.”
Recently, HackerOne reported on the uptick in demand for security researchers over the past year, earning more than $44.75 million in bounties for vulnerability disclosure. More organizations are adopting VDPs and paying white-hat hackers (aka ethical hackers) more for the critical flaws they find.
Following feedback, CISA issued the final version of BOD 20-01, stating that following feedback, CISA issued the final version of BOD 20-01, stating that VDPs are "an essential element of an effective enterprise vulnerability management program and critical to the security of internet-accessible federal information systems."
The Federal News Network reported that Russ Vought, OMB Director, stated in a memo to agency leaders ”Federal agencies are currently incorporating two types of coordinated vulnerability disclosure (CVD) programs into their security efforts: Vulnerability disclosure policies (VDPs) and bug bounties.” Vought added that “VDPs establish processes for the identification, management, and remediation of security vulnerabilities uncovered by security researchers. They are among the most effective methods for obtaining new insights regarding security vulnerability information and provide high return on investment. They also provide protection for those who uncover these vulnerabilities by differentiating between good-faith security research and unacceptable means of gathering security information.”
Bug bounties differ from VDPs because they offer compensation based on established parameters to security researchers who report the vulnerabilities they find.
“While several organizations in the federal government have used bug bounty programs effectively, each agency should carefully weigh the cost, organizational competence and maturity required for a strong and sustainable program,” Vought wrote.
Ethical Hacking for the DOD and DODIN
The BOD-20-01 applies to all Federal Executive Branch Departments and Agencies, except for the Department of Defense (DOD), Central Intelligence Agency, and Office of the Director of National Intelligence.
In 2016, the Secretary of Defense, established the VDP that operates to strengthen the security of the DOD and DOD Information Network (DODIN) by providing an additional layer to the defense-in-depth cybersecurity strategy. The DOD and DODIN embraced a previously overlooked yet indispensable resource -- the private-sector security researchers (aka white-hat or ethical hackers).
The success of the program relies solely on expertise and support from the security researcher community which contributes to the overall security of the DOD. The DODIN information technologies, services, and systems provide critical capabilities to all military service members, their families, veterans, DOD civilians, and contractors.
Ultimately, VDP will achieve its objective of ensuring that the DOD can defend the US, by driving an increase in the DODIN’s cyber hygiene.
As we have discussed in prior articles, hackers take advantage of vulnerabilities of human beings while they are using Internet-connected devices or working in remote work environments. During COVID-19 with emotions and distractions running above normal levels, our cyber defenses could be below normal levels. Unfortunately, this volatile set of circumstances has led to a an increase in cyberattacks.
Without comprehensive cyber insurance, your business may not survive the financial fallout from a cyber incident.
Stand-Alone Cyber Insurance
Your business can protect the bottom line with the services and coverage provided by Stand-Alone Cyber Insurance. For example:
- If you suffer a data breach – you can obtain support from an incident response team. The team will implement the incident response plan, e.g., help you stop the breach, conduct a forensic investigation, notify all those impacted, recover or restore your data, use public relations to maintain your brand, and possibly defend third-party liability claims or lawsuits for damages by injured parties.
- If you suffer a ransomware attack -- you can obtain support in negotiating the ransom demand and be compensated for the ransom payment (made with the prior written consent of the insurer).
- If you experience business interruption from a cyberattack -- you can be compensated for lost profits, and extra expenses such as payroll, during the downtime (after a brief waiting period and during a restoration period).
- If you experience funds transfer fraud -- you can obtain support in recouping some of the funds as well as compensation for the unrecovered funds.
Stand-Alone Cyber Insurance is a Win-Win – first, you win by investing in the services provided in most policies, and second, you win by investing in the coverage provided when faced with a claim or lawsuit for damages.
- VDPs seek to ensure that federal agencies, including the DOD, fulfill their respective missions via increased cyber hygiene. They cannot do this alone.
- Federal government contractors need to contribute to each federal agency’s mission by following proper cyber risk management.
- A holistic cyber risk management plan is the new foundation of government contracts, including both cybersecurity and Stand-Alone Cyber Insurance.
- Your business needs specialist advice from a broker and carrier dedicated to providing comprehensive cyber insurance appropriate for your specific cyber risk tolerance.
- In conjunction with its network of specialist insurance carriers, the Cyber Armada Insurance team is here to help you as you seek to win government contracts.
Reach out to a specialist cyber broker, such as Cyber Armada Insurance, to request cyber solutions appropriate for your needs and cyber risk tolerance. We understand the evolving demands and expectations of cyber insurance clients.
Contact Cyber Armada today to examine your company's potential financial losses from a cyberattack. Contact us at 888.727.6232.
Please watch for our upcoming article Cyber Threats to Critical Infrastructure.