Under new law, NIST looks to map out vulnerability disclosure policies for government

IoT fuels next-gen law enforcement 

The National Institute of Standards and Technology is leaning on the Defense and Homeland Security Departments as it works through lawmakers' request to map out software vulnerability disclosure processes for the federal government.

"We would like to use whatever guidelines there are in place as this is a developing area right now primarily led by DOD and DHS," Kim Schaffer, an IT specialist at NIST, said Thursday during an Information Security and Privacy Advisory Board meeting.

Lawmakers in December passed the Internet of Things Cybersecurity Improvement Act of 2020. The bill looks to codify minimum security guidelines for IoT devices that are acquired by the federal government and deployed on federal networks. The bill also tasks NIST with developing processes that address how does the federal government ensures vulnerability disclosures are sent to the correct places and that disclosures are promptly addressed once identified.

The bill cites policies from the International Organization for Standardization that NIST should incorporate "to the maximum extent practicable." Schaffer said NIST has begun workshops as well as discussions with DOD and DHS to understand how they work with individual software development offices.

The final product NIST recommends could be a software development office at the agency level or the government could turn to contractors to facilitate reporting, but "basically, the government has a responsibility to make sure it gets these reports, and it addresses those reports," Schaffer said.

While NIST's work on these policies was directed by the IoT legislation, the policies will be applicable for vulnerability disclosures beyond such devices, Schaffer added.

The law mandates NIST delivers its work to Congress in June, but that will likely only be the first step in fleshing out the policy.

Schaffer said an "awareness campaign" may be necessary to make sure software vendors understand the need to process incoming reports and "work with the supply chain to make sure that this is identified and fixed as soon as possible for everyone."

About the Author

Justin Katz is a former staff writer at FCW.


  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

Stay Connected