Microsoft to give governments heads up on security vulnerabilities

Software giant starts pilot program for critical infrastructure protection

Editor's note: This article was updated on May 20 to correct the name of the Carnegie Mellon Software Engineering Institute.

Microsoft will share technical information on security vulnerabilities with some government organizations before it publicly releases security patches to help governments protect critical infrastructure.

Government organizations that participate in both of two existing Microsoft programs designed to share security information with governments can get advance access to the vulnerability data through a new pilot program named the Defensive Information Sharing Program (DISP).

Microsoft will start the pilot program this summer and begin the full program later this year, said Jerry Bryant, group manager, response communications for Microsoft, in an e-mail statement. Bryant said early access to that information would let the government organizations get an early start on risk assessment and mitigation.

“This will allow members [of DISP] more time to prioritize creating and disseminating authoritative guidance for increasing network defensive posture actions,” Bryant said.

DISP is one of two pilot programs that Stephen Adegbite, senior security program manager lead in the Microsoft Security Response Center, detailed in a blog post on May 17. Adegbite also described another program, the Critical Infrastructure Partner Program, to share with governments, insights on security policy such as approaches to help protect critical infrastructures.

“Looking at past Internet-based attacks, the trends are pointing to an increase in complex multi-dimensional computer attacks,” Adegbite wrote. “We believe that governments will see increased demands for swifter responses to vulnerabilities that threaten public assets. The need for information to aid in quicker and thorough risk assessments will be paramount.”

Jeffrey Carpenter, manager of the CERT Coordination Center at Carnegie Mellon Software Engineering Institute, said governments have been asking for more timely vulnerability information to better protect critical infrastructure. CERT works with about 40 countries’ computer security incident response teams.

Carpenter said governments want advance notice before security patches are released so they can understand  what a problem is and how it affects economies and critical infrastructure.

“I think this has been an evolving process where Microsoft has listened to the governments of countries around the world and this is working to meet the unique needs" of national computer security incident response teams, Carpenter said.

Only national government organizations will be eligible to participate in DISP. However, participants will be allowed to confidentially share the information with their regional and local entities if they can ensure it won’t be leaked.

About the Author

Ben Bain is a reporter for Federal Computer Week.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Shutterstock image (by wk1003mike): cloud system fracture.

    Does the IRS have a cloud strategy?

    Congress and watchdog agencies have dinged the IRS for lacking an enterprise cloud strategy seven years after it became the official policy of the U.S. government.

  • Shutterstock image: illuminated connections between devices.

    Who won what in EIS

    The General Services Administration posted detailed data on how the $50 billion Enterprise Infrastructure Solutions contract might be divvied up.

  • Wikimedia Image: U.S. Cyber Command logo.

    Trump elevates CyberCom to combatant command status

    The White House announced a long-planned move to elevate Cyber Command to the status of a full combatant command.

  • Photo credit: John Roman Images / Shutterstock.com

    Verizon plans FirstNet rival

    Verizon says it will carve a dedicated network out of its extensive national 4G LTE network for first responders, in competition with FirstNet.

  • AI concept art

    Can AI tools replace feds?

    The Heritage Foundation is recommending that hundreds of thousands of federal jobs be replaced by automation as part of a larger government reorganization strategy.

  • DOD Common Access Cards

    DOD pushes toward CAC replacement

    Defense officials hope the Common Access Card's days are numbered as they continue to test new identity management solutions.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group