VULNERABILITY DISCLOSURE PROGRAM (VDP) POLICY AND HANDLING PROCEDURES
This Attachment provides information and/or requirements associated with DOE O 205.1C as well as information and/or requirements applicable to contracts in which the associated CRD (Attachment 1 to DOE O 205.1C) is inserted.
This Vulnerability Disclosure Program: Requirements and Handling Procedures supports the Department of Energy’s (DOE) Cybersecurity Program and meets the requirements of the Office of Management and Budget (OMB) Memorandum (M)-20-32, Improving Vulnerability Identification, Management, and Remediation and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive (BOD) 20-01, Develop and Publish a Vulnerability Disclosure Policy. This Attachment will enhance the cybersecurity posture of the DOE through the development of a formal mechanism to receive information from members of the public acting in good faith (hereafter referred to as Reporters) about potential security vulnerabilities on DOE websites, systems, or digital services that are within scope of this program, i.e., intended for use by the public or are internet-accessible through a publicly routed IP address or a hostname that resolves publicly in Domain Name System (DNS) to such an address. This includes DOE web-based forms, web-based applications, and digital services.
A Reporter is defined as any person or entity external to the Department, who or which in good faith submits a security vulnerability or vulnerabilities to the Department consistent with this Attachment. The handling procedures provided herein codify the DOE’s process for receiving, evaluating, and remediating potential vulnerabilities, facilitate transparency and communication between DOE and the public, and set out minimum requirements for Departmental Elements, program offices, and associated sites.
a. Scope. Office of the Chief Information Officer (OCIO), in alignment with applicable laws and directives, will determine the overall scope of this Attachment and will work with Heads of Departmental Elements (HDEs) to determine which systems and services are under their purview. The scope of the Attachment shall progressively expand such that:
(1) At the issuance of this Attachment, the DOE OCIO has identified at least one DOE website, system, or digital service produced for public use or that is internet-accessible to be in-scope.
(2) At the issuance of this Attachment, all newly launched and produced DOE websites, systems, or digital services intended for public use or made internet-accessible hereafter will be considered in-scope under the Attachment.
(3) Within 270 calendar days after the issuance of this Attachment, and within every 90 calendar days thereafter, the scope of this Attachment will increase by at least one DOE website, system, or digital service intended for public use or made internet-accessible.
(4) At 2 years after the issuance of this Attachment, all DOE produced websites, systems, or digital services intended for public use or made internet-accessible will be in-scope of this Attachment.
b. Out of Scope Systems and Services. The following websites, systems, and services are excluded from the testing provisions and legal protections afforded to Reporters within this Attachment. If Reporters are uncertain of whether a website, system, or digital service is in-scope of this Attachment, it is recommended that they contact the designated security point of contact to confirm.
(1) National Security Systems (NSS), the definition for a National Security System, along with other applicable terms used in the National Security Community, are found in CNSSI 4009, Information Assurance Glossary.
(2) Websites, systems, and digital services owned by Third Party Service Providers. The DOE uses third-party services to assist the Department in communicating or interacting with the public. These services may be completed using separate websites, systems, and digital services or may be embedded in DOE produced websites, systems, and digital services. DOE information maintained and operated by Third Party Service Providers, or websites, systems, and digital services owned by Third Party Service Providers but operated or controlled by the Department are subject to the provider’s privacy policies. Testing of such websites, systems, or digital services is not protected under this Attachment.
(3) Non-Public Facing or non-Internet-Accessible websites, systems, and digital services.
c. Policy. The Department’s Vulnerability Disclosure Program serves to enhance the resiliency of the Department’s internet-accessible systems and services by providing an authorized disclosure process for Reporters to report potential security vulnerabilities or issues. Reporters who make a good-faith effort to follow this Attachment and its corresponding rules of engagement enable the DOE to reduce risk to its infrastructure by incentivizing coordinated disclosure to remediate vulnerabilities with expediency.
A security vulnerability means any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control. Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the protection needs of organizational stakeholders.
The following actions are required to facilitate the intake, review, and remediation of reported security vulnerabilities and ensure communication between the Department and Reporters.
(1) Process to Submit a Vulnerability Report.
(a) A Reporter may submit an identified potential vulnerability or vulnerabilities to the Department via doe.responsibledisclosure.com. Information submitted via this portal will be encrypted in transit and at rest, and anonymized to protect the identity of the Reporter;
(b) The Reporter must accept the terms and conditions before submitting a security vulnerability. All submissions will be subject to relevant federal disclosure statutes including 5 U.S.C. § 552, although the anonymity of the report will be protected as required by this Attachment and Federal law. Following acceptance of the terms and conditions, the Reporter will provide detailed information about the security vulnerability to enable DOE to replicate the discovery of the vulnerability, including all relevant details such as product(s), version(s), and configuration setting(s);
(c) The integrated Joint Cybersecurity Coordination Center (iJC3) will validate the credibility of all reported security vulnerability submissions using the Common Vulnerability Scoring System (CVSS) or other approved methodology and prioritize for remediation action as necessary. Validation may entail collaboration with the Reporter to obtain additional information necessary to analyze the reported security vulnerability. The Reporter will not be required to produce or share any personally identifiable information (PII) during this process; and
(d) Reporters are encouraged to assess the potential impact of the vulnerability they are submitting via CVSS or other similar methodology in order to ensure that only high-impact vulnerabilities are disclosed.
(2) The following types of research testing methods are prohibited from being used in good-faith to identify potential security vulnerabilities on DOE internet-accessible systems and services within scope of this Attachment and are in violation of the Department's Vulnerability Disclosure Program:
(a) No security testing is authorized on industrial control systems (ICS) managed by DOE, but reports of information security concerns on ICS are accepted and will be elevated for remediation as required.
(b) Denial of Service testing.
(c) Physical or social engineering (e.g., phishing).
(d) Methods that disrupt system operation or result in the modification or destruction of data.
(e) Exploitation of a vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
(f) Any other activity that would not reasonably be considered prudent given the terms, conditions, and intent of this Attachment.
(3) In addition, Reporters shall not:
(a) Conduct data exfiltration.
(b) Intentionally compromise the privacy, safety, intellectual property (IP), or other commercial or financial interests of any DOE employee, contractor, or DOE-associated entity.
(c) Intentionally compromise any Controlled Unclassified Information (CUI), including PII and IP, or Official Use Only (OUO) information.
(d) Retain or transmit any information, including PII or IP, belonging to the Department.
(e) Request monetary compensation for time, materials, expenses, and effort (e.g., a bounty) or a property interest of any type or kind for any security vulnerabilities that they may discover.
(4) The Department will acknowledge Reporter receipt of each vulnerability within three business days of submission. Acknowledgement to the Reporter may be, but is not limited to, a notice published on a Department approved website/portal indicating the status of the submitted vulnerability. The Reporter may also choose to remain anonymous. The Department will be as transparent as possible about what steps it is taking during the remediation process.
(5) DOE requests that Reporters not publicly disclose a security vulnerability or vulnerabilities prior to the time-limited response period as determined by DOE.
(6) The Department will not recommend or pursue legal action against anyone for a security-reporting activity that the Department concludes represents a good-faith effort to follow the Attachment and will deem that activity authorized.
(7) This Attachment will be effective upon the approval and issuance of DOE O 205.1C Chg 1. All Departmental Elements must be in compliance with this Attachment within one year of issuance.
d. Publication of Vulnerability Disclosure Program. At the issuance of this directive, DOE will publish the Attachment as a web page in plain text or HTML.
e. Security File. At the issuance of this Attachment, DOE will create a security.txt file at the doe.gov domain.
2. VULNERABILITY DISCLOSURE HANDLING PROCEDURES.
a. The following handling procedures are requirements to support the effective implementation of this Attachment:
(1) Receipt and Tracking. All reported vulnerabilities will be tracked to conclusion using the following steps:
(a) Vulnerability reports will be tracked from when a report is first received up to its resolution via the vulnerability disclosure portal;
(b) Vulnerability reports will be available to system owners within 48 hours of submission, and a channel will be established for the system owners to communicate with vulnerability Reporters, as appropriate;
(c) When a vulnerability report is submitted via the vulnerability disclosure portal, it will be triaged by iJC3 based on the potential impact to system confidentiality, integrity, or availability and assigned a score based on the CVSS or other accepted methodology; and
(d) Reports of vulnerabilities requiring remediation will be transmitted to the appropriate system or service owner via the iJC3.
(2) Remediation. Upon receipt of a verified vulnerability from the iJC3, the system or service owner will remediate the vulnerability and document actions taken or provide documentation of risk acceptance. The owner should then determine if this verified vulnerability has ever been previously exploited or if there has been prior attempts to exploit this vulnerability. DOE will adhere to DHS-published timelines for vulnerability remediation, as applicable.
(3) Incident Investigation and Remediation. If an investigation determines that a vulnerability reported via the Vulnerability Disclosure Program was exploited prior to its discovery, an incident report will be opened. Such an incident will be remediated and reported according to the established iJC3 incident reporting requirement.
(4) Out of Scope Systems and Services. If a report is submitted for systems and services that are out of scope, the response to the Reporter should acknowledge the report and inform them that the report falls outside of the scope as described in the Attachment.
(5) Communication. Receipt of each submission will be acknowledged within three business days. Acknowledgement may be, but is not limited to a notice published on a Department-approved website that identifies the Reporter by name or handle and details the date and time of their submission. Alternatively, the Reporter may elect to remain anonymous in which case the Reporter will not be identified. The following communication procedures will apply for submitted vulnerabilities:
(a) Initial assessment of each vulnerability report will be completed within seven business days from initial submission. The verification team will be responsible for completing the initial assessment of each vulnerability.
(b) Resolution of credible security vulnerabilities, including notification to the Reporter, will occur on a timely basis from initial submission.
(c) Credible reports of newly discovered or not publicly known vulnerabilities on agency systems that use commercial software or services that affect or are likely to affect other parties in government or industry, as well as vulnerabilities requiring inter- agency support, will be reported immediately to the Cybersecurity and Infrastructure Security Agency.
(6) Compliance and Noncompliance with Attachment. The Department will not take civil action or bring a complaint to law enforcement for unintentional, good faith violations of this Attachment. If legal action is taken by a third party against a Reporter who complied with the Attachment and the corresponding Rules of Engagement, the Department will take appropriate measures to show that the Reporter’s actions were in compliance with the Attachment.
It is recommended that Reporters should first contact the iJC3 before testing any internet-accessible system that may be out of the Attachment’s scope.
a. DOE Office of the Chief Information Officer (OCIO).
(1) Carries out the responsibilities of the Federal Agency CIO as required by Federal law, regulation and policy, and is responsible for:
(a) Executing the Attachment in compliance with federal guidelines and requirements.
(b) Defining security vulnerability reporting requirements, including establishing the criteria to determine the systems and services in-scope of this Attachment in collaboration with designated Departmental Elements / Site representatives.
(2) Works with the DOE CISO and Heads of Departmental Elements (or their designated representatives) to ensure that:
(a) Applicable systems and services under DOE ownership, use, and control fall within scope of the Attachment.
(b) Heads of Departmental Elements provide information and support for the applicable systems and services within scope of this Attachment and ensure that system and service owners execute remediation for vulnerabilities under their authority to use for identifying the scope of the Attachment.
(c) Infrastructure and services necessary to support security vulnerability reporting, tracking, and communication are established and protected.
(d) Validated security vulnerabilities and associated metrics are included in any Agency reporting to DHS, OMB, and other federal entities as necessary.
(e) This Attachment and handling procedures are reviewed every three years to align with federal requirements and to account for changes in the general cybersecurity landscape to incorporate additional best practices to receive, track, and report vulnerabilities identified by Reporters.
(1) Reviews reported vulnerabilities for credibility.
(2) Directs reported vulnerabilities to the appropriate system or service owner.
(3) Ensures that system or service owners receive reported vulnerabilities.
(4) Confirms that vulnerabilities have been properly remediated.
(5) Tracks individual vulnerabilities from initial report through remediation.
(6) Communicates with Reporters through all stages of the vulnerability disclosure process.
(7) Collects metrics on vulnerabilities reported under the Vulnerability Disclosure Program, enabling the Department to meet reporting requirements under OMB M-20-32, BOD 20-01, the Federal Information Security Modernization Act (FISMA) of 2014, and other applicable directives and laws.
(8) Informs the OCIO with regular reports on the status of vulnerabilities disclosed under the VDP.
(9) Ensures that critical vulnerabilities with the potential to adversely impact the Department’s mission are promptly brought to the attention of the OCIO leadership.
(10) Conducts trend analysis on reported vulnerabilities across the enterprise in order to identify opportunities for systematic improvement in the Department’s cyber posture.
c. Heads of Departmental Elements (HDEs).
(1) Shall ensure compliance with the Attachment for any in-scope systems and services under their purview and support timely prioritization, communication, and remediation of vulnerabilities reported.
(2) Have overall responsibility for the remediation of vulnerabilities reported on systems and services deemed to be in-scope for the program.
(3) Consult, inform, and coordinate with the DOE CIO to resolve cross-Departmental Element vulnerabilities and issues.
d. Authorizing Officials (AOs). Responsible for the accepting of risk for this Attachment’s in-scope systems.
e. System and Service Owners.
(1) Responsible for remediation of credible vulnerabilities reported through the Attachment and meeting all relevant communication and remediation timelines listed herein; and
(2) Shall provide all required documentation of vulnerability remediation or risk acceptance to iJC3.
a. Office of Management Budget (OMB) Memorandum (M)-20-32, Improving Vulnerability Identification, Management, and Remediation, September 2, 2020. This memorandum provides Federal agencies with guidance for obtaining and managing their vulnerability research programs.
b. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive (BOD) 20-01, Develop and Publish a Vulnerability Disclosure Policy, September 2, 2020. This directive promulgates a requirement for Executive Branch Departments and Agencies to publish a vulnerability disclosure policy.
c. 5 U.S.C. § 552, Public information; agency rules, opinions, orders, records, and proceedings. Created by the Pub. L. 89–554, Sept. 6, 1966, 80 Stat. 383, also known as The Freedom of Information Act, this statute generally requires that departments and agencies make information on rules, opinions, orders, records and proceedings available to the public.
d. International Organization for Standardization / International Electrotechnical Commission (ISO / IEC) 29147:2018 Information technology — Security techniques — Vulnerability disclosure. This document describes vulnerability disclosure: techniques and policies for vendors to receive vulnerability reports and publish remediation information.
e. ISO / IEC 30111:2019 Information technology — Security techniques — Vulnerability handling processes. This document describes processes for vendors to handle reports of potential vulnerabilities in products and services.
f. DOE Order (O) 205.1C, Department of Energy Cybersecurity Program, enables accomplishment of the Department’s mission and fulfills Federal cyber security requirements while allowing Departmental Elements programmatic and operational flexibility, enhances risk management, through delegation of risk management to the lowest appropriate level, addresses roles and responsibilities, and sets standards for performance across all levels of the Department.
g. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.
h. NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).
a. Control. For the purposes of this Attachment, DOE utilizes the definition of the term control as found in NIST SP 500-83, Security and Privacy Controls for Federal Information Systems and Organizations:
Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the protection needs of organizational stakeholders. Controls are selected and implemented by the organization in order to satisfy the system requirements. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values.
b. Credible Vulnerability. A reported vulnerability that has been validated by iJC3 and for which remediation steps have been determined by the appropriate system and service owners.
c. Good Faith. An absence of fraudulent or malicious intent, and a desire to help—not harm—the Department.
d. Internet Accessible System. Any DOE system that is reachable over the public internet that has a publicly routed IP address or a hostname that resolves publicly in DNS to such an address. An internet-accessible system is not infrastructure that is internal to the DOE network that enables endpoints to be accessible over the internet, systems reachable from the internet but that require special configuration or access controls (e.g. via a Virtual Private Network), or shared services used by the Department.
e. Reporter. Any person or entity external to the Department, who or which in good faith submits a security vulnerability or vulnerabilities to the Department consistent with this Attachment. The Department allows that persons or entities other than the one who or that discovered the security vulnerability may come forward and present as the Reporter.
f. Security Vulnerability. For the purpose of this Attachment, DOE utilizes the definition of the term security vulnerability as found in the Cybersecurity Information Sharing Act of 2015, 6 U.S.C. § 1501(17):
Security vulnerability means any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control.
g. Vulnerability Disclosure. The “act of initially providing vulnerability information to a party that was not believed to be previously aware.”
6. CONTACT. Questions concerning this attachment should be directed to the Office of the Chief Information Officer at (202) 586-0166.