NIST charting federal vulnerability disclosure policy
Connecting state and local government leaders
To design a software vulnerability program for the federal government, the National Institute of Standards and Technology is reviewing work done by the Defense and Homeland Security Departments.
To design a software vulnerability program for the federal government, the National Institute of Standards and Technology is reviewing work done by the Defense and Homeland Security Departments.
The Internet of Things Cybersecurity Improvement Act of 2020, passed in December, tasks the NIST director with publishing guidelines for receiving, reporting, coordinating and publishing information related to security vulnerabilities -- not limited to IoT devices -- in agency systems as well as the resolving those issues.
DOD published its vulnerability disclosure policy in 2016, and in September 2020 DHS issued Binding Operational Directive 20-01, “Improving Vulnerability Identification, Management, and Remediation.”
"We would like to use whatever guidelines there are in place as this is a developing area right now primarily led by DOD and DHS," Kim Schaffer, an IT specialist at NIST, said during a March 4 Information Security and Privacy Advisory Board meeting. NIST has begun workshops as well as discussions with DOD and DHS to understand how they work with individual software development offices, Schaffer said.
The final product NIST recommends could be a software development office at the agency level or the government could turn to contractors to facilitate reporting, but "basically, the government has a responsibility to make sure it gets these reports, and it addresses those reports," Schaffer said.
While NIST's work on these policies was directed by the IoT legislation, the policies will be applicable for vulnerability disclosures beyond such devices, Schaffer added
The law mandates NIST delivers its work to Congress in June, but that will likely only be the first step in fleshing out the policy.
Schaffer said an "awareness campaign" may be necessary to make sure software vendors understand the need to process incoming reports and "work with the supply chain to make sure that this is identified and fixed as soon as possible for everyone."
This article was first posted to FCW, a sibling site to GCN.