Date Published: June 2021
Comments Due:
Email Questions to:
Author(s)
Kim Schaffer (NIST), Peter Mell (NIST), Hung Trinh (NIST)
Announcement
Not all security vulnerabilities can be found through automated processes or testing. Internal and external reporting of security vulnerabilities in software and information systems owned or utilized by the Federal Government is critical to mitigating risk, establishing a robust security posture, and maintaining transparency and trust with the public. In 2020 alone, more than 18,000 vulnerabilities were publicly listed in the National Vulnerability Database (NVD).
NIST is inviting comments on this Draft NIST Special Publication, which establishes a flexible, unified framework for establishing policies and implementing procedures for reporting, assessing, and managing vulnerability disclosures for systems within the Federal Government. Per the Internet of Things Cybersecurity Improvement Act of 2020, Public Law 116-207, and in alignment with ISO/IEC 29147 and ISO/IEC30111, these guidelines address:
- The establishment of a federal vulnerability disclosure framework, including the Federal Coordination Board (FCB) and Vulnerability Disclosure Program Offices (VDPOs)
- The receipt of information about potential security vulnerabilities in information systems owned or controlled by a government agency
- The dissemination of information about security vulnerability resolutions to government agencies and the public
NIST is leading this government-wide effort in coordination with other agencies, including the Office of Management and Budget (OMB), the Department of Defense (DoD), and the Department of Homeland Security (DHS).
We encourage you to use the comment template for documenting your comments on the draft.
NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
Reporting known or suspected security vulnerabilities in digital products is one of the best ways for developers and services to become aware of issues. Formalizing actions to accept, assess, and manage vulnerability disclosure reports can help reduce known security vulnerabilities. This document recommends guidance for establishing a federal vulnerability disclosure framework and highlights the importance of proper handling of vulnerability reports and communicating the minimization or elimination of vulnerabilities. The framework allows for local resolution support while providing federal oversight and should be applied to all software, hardware, and digital services under federal control.
Reporting known or suspected security vulnerabilities in digital products is one of the best ways for developers and services to become aware of issues. Formalizing actions to accept, assess, and manage vulnerability disclosure reports can help reduce known security vulnerabilities. This document...
See full abstract
Reporting known or suspected security vulnerabilities in digital products is one of the best ways for developers and services to become aware of issues. Formalizing actions to accept, assess, and manage vulnerability disclosure reports can help reduce known security vulnerabilities. This document recommends guidance for establishing a federal vulnerability disclosure framework and highlights the importance of proper handling of vulnerability reports and communicating the minimization or elimination of vulnerabilities. The framework allows for local resolution support while providing federal oversight and should be applied to all software, hardware, and digital services under federal control.
Hide full abstract
Keywords
Federal Coordination Body; vulnerability communication; Vulnerability Disclosure; Vulnerability Disclosure Policy; Vulnerability Disclosure Program Office; vulnerability processing; vulnerability tracking
Control Families
None selected
