NIST Aims to Create Software Vulnerability Disclosure Program
The National Institute of Standards and Technology is looking to create a software vulnerability disclosure program for the federal government as mandated by legislation passed in December.
Under the Internet of Things Cybersecurity Improvement Act of 2020, the NIST director must publish guidelines for receiving, reporting, coordinating and publishing information related to security vulnerabilities in agency systems, including IoT devices.
NIST is currently reviewing existing policies launched by the departments of Defense and Homeland Security to serve as the basis of its own policy, GCN reported.
Kim Schaffer, an information technology specialist at NIST, told attendees at a recent Information Security and Privacy Advisory Board meeting that the agency is looking at guidelines already in place since vulnerability disclosure is still a developing area.
DOD and DHS are at the forefront of addressing system vulnerabilities.
In 2016, DOD published its own vulnerability disclosure policy, which provides security researchers a legal avenue to disclose vulnerabilities in any of the department’s public-facing systems.
Four years later, the DHS released Binding Operational Directive 20-01, “Improving Vulnerability Identification, Management, and Remediation.” The directive requires agencies to implement vulnerability disclosure policies with clearly identified reporting mechanisms.
According to Schaffer, NIST has already talked with DOD and DHS to get a better idea of how these agencies work with individual software development offices.
Looking ahead, Schaffer said the NIST could establish a software development office at the agency level. The agency could also create policies allowing contractors to facilitate vulnerability reporting, he added.
Tags: cybersecurity Department of Defense Department of Homeland Security DHS DoD GCN IoT Cybersecurity Improvement Act of 2020 Kim Schaffer NIST security vulnerabilities