CISA has unique authority in binding operational directives (BODs) and emergency directives (EDs) to direct certain agencies to deploy information security protections or mitigations in response to a threat, incident, or vulnerability. 44 U.S.C. 3553. CISA has used this authority several times over the past several years, with BODs requiring removal of Kaspersky products from federal systems, mandating vulnerability disclosure policies for internet-facing federal systems, and the emergency directive implementing mandatory patches and mitigations in response to the attack on the SolarWinds network management tool.

While the Directive stops short of requiring agencies to offer financial rewards, agencies are permitted to do so. The overarching goal of the Directive is to create and foster an environment where good faith security research on specific, internet-accessible systems is welcomed and authorized by all Executive Branch agencies.DHS is authorized by the Federal Information Security Modernization Act of 2014 (44 U.S.C. §3553(b)(2)) to issue and oversee Binding Operational Directives. These directives are binding on departments and agencies of the Executive Branch of the Federal government, although they do not apply to certain statutorily identified national security and intelligence systems or the Department of Defense.The VDP Directive is the first ever for which DHS has solicited public comment.

Federal Network Protection Act (S. 2743) Currently, DHS is authorized to “mitigat[e]...exigent risks to information systems” by issuing “binding operational directives.” 44 U.S.C. §3553. The Federal Network Protection Act would clarify that DHS is not required to notify contractors of any mitigation efforts related to goods or services provided by those contractors.

(2018) (statement by Kirstjen Nielsen, Secretary of the U.S. Department of Homeland Security). 10 See Federal Information Security Modernization Act of 2014, 44 U.S.C. § 3553(b) (2014).Download pdf