Under new law, NIST looks to map out vulnerability disclosure policies for government

IoT fuels next-gen law enforcement 

The National Institute of Standards and Technology is leaning on the Defense and Homeland Security Departments as it works through lawmakers' request to map out software vulnerability disclosure processes for the federal government.

"We would like to use whatever guidelines there are in place as this is a developing area right now primarily led by DOD and DHS," Kim Schaffer, an IT specialist at NIST, said Thursday during an Information Security and Privacy Advisory Board meeting.

Lawmakers in December passed the Internet of Things Cybersecurity Improvement Act of 2020. The bill looks to codify minimum security guidelines for IoT devices that are acquired by the federal government and deployed on federal networks. The bill also tasks NIST with developing processes that address how does the federal government ensures vulnerability disclosures are sent to the correct places and that disclosures are promptly addressed once identified.

The bill cites policies from the International Organization for Standardization that NIST should incorporate "to the maximum extent practicable." Schaffer said NIST has begun workshops as well as discussions with DOD and DHS to understand how they work with individual software development offices.

The final product NIST recommends could be a software development office at the agency level or the government could turn to contractors to facilitate reporting, but "basically, the government has a responsibility to make sure it gets these reports, and it addresses those reports," Schaffer said.

While NIST's work on these policies was directed by the IoT legislation, the policies will be applicable for vulnerability disclosures beyond such devices, Schaffer added.

The law mandates NIST delivers its work to Congress in June, but that will likely only be the first step in fleshing out the policy.

Schaffer said an "awareness campaign" may be necessary to make sure software vendors understand the need to process incoming reports and "work with the supply chain to make sure that this is identified and fixed as soon as possible for everyone."

About the Author

Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected