Emailed comments from the Department of Education, Office of Inspector General

[h-m-f-t]

Thank you for the chance to provide comments on DHS’ draft BOD 20-01 that would require agencies to develop and implement an IT systems vulnerability disclosure policy. We generally support creating a mechanism where individuals can submit vulnerability reports. However, we are concerned about the requirement for such policies to contain commitments to not recommend or pursue legal action for such activities, and the burden such policies would impose on individual departments and agencies to track, respond, and resolve such reports. Specifically, as a law enforcement agency, we believe including a provision in any policy that makes a commitment regarding not pursuing legal action is ill advised because it will be impracticable to determine in many cases when external parties or researchers are proceeding in good faith (and are thus not engaging in criminal conduct like a violation of 18 USC Section 1030) when interfacing with agency IT systems and/or reporting vulnerabilities. In addition, the resources required to implement such a mechanism and policy for most agencies and Departments, particularly those with many outward facing IT systems, will be significant. DHS may want to consider tasking creation and implementation of a policy to an entity like US CERT so that the function is centralized and consistent across Government, rather than creating an unfunded mandate on individual agencies.

Antigone Potamianos
Counsel to the IG
Education OIG