Last week, the U.S. Department of Justice (“DOJ”) released a voluntary framework for organizations to use in the development of a formal program to receive reports of network, software, and system vulnerabilities, and to disclose vulnerabilities identified in other organizations’ environments.  This framework provides private entities a series of steps to establish a formal program that balances the need to enhance organizations’ cybersecurity with potential legal risks associated with identifying, testing, and disclosing vulnerabilities.  While the framework does not prescribe specific requirements, it does provide guidance that an organization should consider whether it is developing a new disclosure program or already has an established program.  The framework also appears consistent with previous U.S. Government guidance on vulnerability disclosure — such as the policy or guidance published by the U.S. Department of Defense, General Services Administration 18F Office, and National Telecommunications & Information Administration.

In sum, the four-step framework recommends an organization consider the following:

Step 1: Design the vulnerability disclosure program.

  • Whether to apply the disclosure program across its entire enterprise or specifically focus on certain portions of its network, applications, or data types.
  • When choosing to include sensitive data (or systems that process or store sensitive data), an organization should “seriously weigh the risks and consequences of exposing [sensitive] information that it has a legal duty to protect and . . . consider consulting with legal counsel when making its scoping decisions.”
  • Establish a program that focuses on certain types of vulnerabilities rather than all vulnerabilities — for example, a program may focus on software flaws, weak password management practices, outdated and poorly configured systems that are susceptible to exploitation, and/or inadequate security training.
  • Assess whether any third-party interests may be involved (such as a cloud service provider storing the organization’s data or hosting its infrastructure) and account for those interests; otherwise, the program may lack the appropriate authorization to access the third-party’s systems and subject the organization to heightened legal risk.

Step 2: Plan for administering the vulnerability disclosure program.

  • Establish a process for vulnerability reporting that includes authenticating the accuracy of the vulnerability.
  • If the program includes sensitive data, limit access, processing, and retention of sensitive data by testing and reporting entities.
  • Identify key points-of-contact to receive and process vulnerability reports, and “[i]dentify personnel who can authoritatively answer questions about conduct that the [program] does and does not authorize.”
  • Decide how to handle “accidental, good faith violations” and “intentional, malicious violations” of the program.

Step 3: Draft a vulnerability disclosure policy that accurately and unambiguously captures the organization’s intent.

  • Describe what type of conduct is authorized and unauthorized, including, but not limited to, specific techniques, use of the organization’s data, deletion or alteration of data, and denying access to systems.
  • Identify what portions of an organization’s network, applications, or data types are in scope.
  • Establish program controls to protect sensitive data and systems that process or store sensitive data.
  • Outline the potential consequences for complying (and not complying) with the disclosure program.

Step 4: Implementing the vulnerability disclosure program.

  • Ensure an organization’s vulnerability disclosure policy is “easily accessible and widely available.”  Some examples include advertising the program and prominently displaying the policy on an organization’s website.
  • Consider requiring anyone who performs related activities to do so under the established program.

 

Photo of Ashden Fein Ashden Fein

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing…

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Mr. Fein frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Additionally, Mr. Fein assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Mr. Fein served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Mr. Fein currently serves as a Judge Advocate in the U.S. Army Reserve.