Under new law, NIST looks to map out vulnerability disclosure policies for government
Lawmakers in December tasked NIST with to developing processes that would ensure software vulnerability reports flow to the appropriate government offices and the issues are promptly fixed.
The National Institute of Standards and Technology is leaning on the Defense and Homeland Security Departments as it works through lawmakers' request to map out software vulnerability disclosure processes for the federal government.
"We would like to use whatever guidelines there are in place as this is a developing area right now primarily led by DOD and DHS," Kim Schaffer, an IT specialist at NIST, said Thursday during an Information Security and Privacy Advisory Board meeting.
Lawmakers in December passed the Internet of Things Cybersecurity Improvement Act of 2020. The bill looks to codify minimum security guidelines for IoT devices that are acquired by the federal government and deployed on federal networks. The bill also tasks NIST with developing processes that address how does the federal government ensures vulnerability disclosures are sent to the correct places and that disclosures are promptly addressed once identified.
The bill cites policies from the International Organization for Standardization that NIST should incorporate "to the maximum extent practicable." Schaffer said NIST has begun workshops as well as discussions with DOD and DHS to understand how they work with individual software development offices.
The final product NIST recommends could be a software development office at the agency level or the government could turn to contractors to facilitate reporting, but "basically, the government has a responsibility to make sure it gets these reports, and it addresses those reports," Schaffer said.
While NIST's work on these policies was directed by the IoT legislation, the policies will be applicable for vulnerability disclosures beyond such devices, Schaffer added.
The law mandates NIST delivers its work to Congress in June, but that will likely only be the first step in fleshing out the policy.
Schaffer said an "awareness campaign" may be necessary to make sure software vendors understand the need to process incoming reports and "work with the supply chain to make sure that this is identified and fixed as soon as possible for everyone."