[20200908]IN11497_网络安全：关于联邦漏洞披露计划的最新政策和指南 .pdf

CRS INSIGHT Prepared for Members and Committees of Congress INSIGHTINSIGHTi i Cybersecurity: Recent Policy and Guidance on Federal Vulnerability Disclosure Programs September 8, 2020 The Trump Administration has released policy and guidance on vulnerability disclosure programs (VDP) for federal agencies. VDPs help organizations secure their information technology (IT) by allowing the public to discover and report weaknesses in systems in the hope that the organization will mitigate the vulnerabilities. Vulnerabilities can be exploited by malicious actors to compromise systems, which may lead to data breaches. On September 2, 2020, the Office of Management and Budget (OMB) released Memorandum M-20-32 on Improving Vulnerability Identification, Management, and Remediation and the Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive 20-01 (BOD) to Develop and Publish a Vulnerability Disclosure Policy. Policies Memorandum M-20-32 establishes the policy of a federal VDP and agency responsibilities. The memorandum states that a VDP includes traditional vulnerability disclosure policies (i.e., an open program where the public can find vulnerabiliti