Skip to content

Resolves #103, Explicit requirement for inclusion of agency OGC in policy development #104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Resolves #103, Explicit requirement for inclusion of agency OGC in policy development #104

wants to merge 3 commits into from

Conversation

@egyptiankarim
Copy link

@egyptiankarim egyptiankarim commented Dec 20, 2019
edited by h-m-f-t
Loading

The pull request adds a requirement that agencies consult their legal folks regarding any assertions related to pursuit of legal action made in their vulnerability disclosure policies.

As BODs tend to lean "techy" and will likely initially land amongst OCIO types, there may be value in explicitly requiring agencies work with their legally-minded organizations as they develop their vulnerability disclosure policies.

This pull requests resolves #103, Explicit requirement for inclusion of agency OGC in policy development.

@egyptiankarim
Draft language for legal team inclusion.
17aebfd
@egyptiankarim
Adding common office acronyms.
79b8c23
@egyptiankarim
Rolling back changes to VDP template
e758ac3 
After discussing with some folks, I think it might be a little too overly "legalese" sounding to call out specific offices in the template. Enough that explicit direction to work with the appropriate legal folks will appear in the BOD itself.
@h-m-f-t
Copy link
Member

h-m-f-t commented Dec 20, 2019

Thanks for this!

Just to be clear, we're not actually merging PRs, but we will evaluate all changes suggested.

@konklone
Copy link
Contributor

konklone commented Dec 22, 2019

Just to be clear, we're not actually merging PRs, but we will evaluate all changes suggested.

Even without literally merging the PR, it's still possible to use GitHub/git to link changes to individual PRs and commits. For an example of this, see: GSA/https#108

@egyptiankarim
Copy link
Author

egyptiankarim commented Dec 22, 2019

Yeah, I think that “resolves” works as a keyword like “fixes” for the same purpose. https://help.github.com/en/github/managing-your-work-on-github/closing-issues-using-keywords#about-issue-references

@h-m-f-t
Copy link
Member

h-m-f-t commented Dec 23, 2019

Even without literally merging the PR, it's still possible to use GitHub/git to link changes to individual PRs and commits. For an example of this, see: GSA/https#108

Definitely. And I should have been more clear in my attempt at clarity: we're not merging PRs now. 🇺🇸

@h-m-f-t h-m-f-t added the 20-01 VDP directive label Dec 26, 2019
@h-m-f-t
Copy link
Member

h-m-f-t commented Sep 2, 2020

Closing in favor of #152.

In general, what @egyptiankarim outlined is what's expected in practice for agencies. M-20-32 does make those points more explicit, though:

Each Federal agency's chief information security officer (CISO), or equivalent senior official of a different title is responsible for implementing the policies described in this memorandum. This official shall work with the senior agency official for privacy (SAOP), chief data officer (CDO), general counsel (GC), and other relevant agency officials to ensure compliance with applicable laws, regulations, and policies.

@h-m-f-t h-m-f-t closed this Sep 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@h-m-f-t h-m-f-t Awaiting requested review from h-m-f-t h-m-f-t is a code owner

Assignees

No one assigned

Labels

20-01 VDP directive

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Explicit requirement for inclusion of agency OGC in policy development

3 participants

@egyptiankarim @h-m-f-t @konklone