Report: NTSB Only Federal Agency Without CISA-Mandated Vulnerability Disclosure Policy
A review conducted by Nextgov revealed that out of all the 101 federal agencies under the Cybersecurity and Infrastructure Security Agency‘s authority, only the National Transportation Safety Board has not developed and implemented a vulnerability disclosure policy.
In September 2020, CISA issued Binding Operational Directive 20-01, which requires all federal civilian executive branch agencies under its authority to develop VDPs to allow security researchers and ethical hackers to identify and report vulnerabilities in agency internet-accessible information systems. The agencies were required to publish their policies on a public web page.
Keith Holloway, a spokesperson for the NTSB, initially said the directive only applies to security-focused agencies and that the NTSB performs transportation-related accident investigations. However, Holloway retracted his statement after being contacted by CISA about noncompliance, Nextgov reported Tuesday.
In July 2021, CISA introduced a VDP platform that gives federal civilian agencies a single platform to gather and share information about software threats. The system, which supports BOD 20-01, also helps agencies comply with reporting metrics.
Holloway said the NTSB immediately expressed interest in participating in the platform. The NTSB expects to be operational on the VDP platform by the end of the fiscal year 2022, the spokesperson shared.
There are 23 agencies currently using the platform. Except for the NTSB, all participants have implemented VDPs within the timeframe that CISA mandated in BOD 20-01.
Tags: Binding Operational Directive 20-01 cybersecurity Cybersecurity and Infrastructure Security Agency Keith Holloway National Transportation Safety Board Nextgov vulnerability disclosure policy