Emailed comments from Federal Deposit Insurance Corporation, Office of Inspector General

[h-m-f-t]

The FDIC OIG would like to thank you for the opportunity to comment on draft Binding Operational Directive 20-01. Please find the FDIC OIG’s comments below:

1. Suggest adding page numbers to the Binding Operational Directive (BOD).

2. The following sentence appears in the first paragraph of Background: “The primary purpose of fixing vulnerabilities is to protect people by maintaining or enhancing their security and privacy.” Should the word “people” be replaced with “information systems”?

3. With regard to the bulleted paragraph at the top of page 3 that starts with “The reporter is afraid of legal action…”:
   a. Is the following sentence of this paragraph supported with objective evidence? “To many in the security community, the federal government has a reputation for being defensive or litigious in dealing with outside security researchers.”
   b. What is meant by the following terms in this paragraph: “strongly worded” “legalistic,” “warm assurances,” “good faith,” and “is welcomed”?

4. The paragraph on “bug bounty” is confusing and does not seem necessary.

5. Item 2 on page 4 includes the following text: “This value should usually be different…” What is meant by “should usually?”

6. Item 3 on page 4 allows Federal agencies to determine “the types of testing that are allowed (or specifically not authorized).” The policy appears to authorize “good faith” security research activities by pretty much anyone (including foreign nation-states), which could include efforts to try and break into Federal computer systems within authorized means. Allowing such activity could, in some cases, make it harder for law enforcement to investigate and DOJ to prove intent concerning Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030) violations if a subject claims he/she was just following the policy. (The BOD states that the policy must include a commitment not to recommend or pursue legal action whenever someone is engaged in good faith security research activities.) How will DHS ensure that agencies take a relatively consistent approach when addressing this aspect of the policy (e.g., defining what ‘authorized security research activities’ means, ensuring legal sufficiency of the policies, determining what constitutes “a reasonably time-limited” response period, ensuring policies will not affect the enforcement and prosecution by DOJ of CFAA violations, etc.)?

7. The BOD appears to include contractor-maintained systems and possibly third-party IT services used by Federal agencies within its scope if those systems are Internet-accessible. Has consideration been given to the potential impact on agencies who may need to work with outside vendors to modify their IT contracts to address the requirements of the policy? For example, Agencies may need to renegotiate contracts at a higher cost to the government, and third-party vendors have concern of exposing their systems, and possibly those of their non-Federal clients, to potential risk and legal liability.

8. Page 5 places no restrictions on a reporter’s ability to share information with others, although there can be a reasonable waiting period. Thus, if someone discovers a vulnerability in a system and reports it, that person can share the vulnerability with others after a waiting period, even if the vulnerability has not yet been remedied, correct? Suggest adding clarifying language in regard to restrictions on embargoed research, specifically if the vulnerabilities cannot be remediated during a reasonable timeframe.

Thank you,

Alexander T. Kreckel
FDIC OIG ITC