[Federal Register Volume 84, Number 244 (Thursday, December 19, 2019)]
[Notices]
[Page 69761]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-27307]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY


Cybersecurity and Infrastructure Security Agency; Availability of 
Draft Binding Operational Directive 20-01

AGENCY: Cybersecurity and Infrastructure Security Agency, DHS.

ACTION: Notice of availability; request for comments.

-----------------------------------------------------------------------

SUMMARY: Through this notice, CISA is making available a draft binding 
operational directive that will apply to all Federal, executive branch 
departments and agencies relating to vulnerability disclosure policies. 
The draft binding operational directive proposes requiring agencies to 
develop and publish a vulnerability disclosure policy (VDP) and 
maintain supporting handling procedures. This notice also requests 
comment on the draft binding operational directive.

DATES: Comments are due by December 27, 2019.

ADDRESSES: You may send comments by any of the following methods:
     Agency Website: For instructions on how to provide 
comments, please follow the instructions provided at https://cyber.dhs.gov/bod/20-01/.
     Email: [email protected]. Include ``Draft Binding 
Operational Directive 20-01'' in the subject line of the email.
    Instructions: The full text of the draft Binding Operational 
Directive 20-01 is available at https://cyber.dhs.gov./bod/20-01/. Do 
not submit comments that include trade secrets, confidential commercial 
or financial information, Chemical-terrorism Vulnerability Information 
(CVI), Protected Critical Infrastructure Information (PCII), or 
Sensitive Security Information (SSI). All written comments received 
will be posted without alteration at https://github.com/, including any 
personal information. Contact information submitted through email will 
not be posted to https://github.com/, except for any name and 
affiliation included in the comment.

SUPPLEMENTARY INFORMATION: The Department of Homeland Security (``DHS'' 
or ``the Department'') has the statutory responsibility, in 
consultation with the Office of Management and Budget, to administer 
the implementation of agency information security policies and 
practices for information systems, which includes assisting agencies 
and providing certain government-wide protections. 44 U.S.C. 3553(b). 
As part of that responsibility, the Department is authorized to 
``develop[ ] and oversee[ ] the implementation of binding operational 
directives to agencies to implement the policies, principles, 
standards, and guidance developed by the Director [of the Office of 
Management and Budget] and [certain] requirements of [the Federal 
Information Security Modernization Act of 2014.]'' 44 U.S.C. 
3553(b)(2). A binding operational directive (``BOD'') is ``a compulsory 
direction to an agency that (A) is for purposes of safeguarding Federal 
information and information systems from a known or reasonably 
suspected information security threat, vulnerability, or risk; [and] 
(B) [is] in accordance with policies, principles, standards, and 
guidelines issued by the Director[.]'' 44 U.S.C. 3552(b)(1). Agencies 
are required to comply with these directives. 44 U.S.C. 
3554(a)(1)(B)(ii).

Overview of Draft BOD 20-01

    On November 27, 2019, CISA posted draft directive 20-01, titled 
``Develop and Publish a Vulnerability Disclosure Policy,'' for public 
feedback at https://cyber.dhs.gov/bod/20-01. This directive requires 
each agency to develop and publish a vulnerability disclosure policy 
(VDP), enable receipt of unsolicited vulnerability reports, maintain 
supporting handling procedures for any vulnerability reports received, 
and report certain metrics to CISA. DHS is publishing this notice of 
availability to provide awareness of the draft binding operational 
directive being available now for review and comment.

    Dated: December 13, 2019.
Richard Driggers,
Deputy Assistant Director, Cybersecurity Division, Cybersecurity and 
Infrastructure Security Agency, Department of Homeland Security.
[FR Doc. 2019-27307 Filed 12-18-19; 8:45 am]
 BILLING CODE 9110-9P-P