The Inner Circle

 View Only
Expand all | Collapse all

Draft NIST Special Publication (SP) 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines

  • 1.  Draft NIST Special Publication (SP) 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines

    Posted Jun 07, 2021 06:42:00 PM
      |   view attached
    Hi All,

    NIST is inviting comments on Draft NIST Special Publication (SP) 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines, which establishes a flexible, unified framework for establishing policies and implementing procedures for reporting, assessing, and managing vulnerability disclosures for systems within the Federal Government. Per the Internet of Things Cybersecurity Improvement Act of 2020, Public Law 116-207, and in alignment with ISO/IEC 29147 and ISO/IEC30111, these guidelines address:

    • The establishment of a federal vulnerability disclosure framework, including the Federal Coordination Board (FCB) and Vulnerability Disclosure Program Offices (VDPOs)
    • The receipt of information about potential security vulnerabilities in information systems owned or controlled by a government agency
    • The dissemination of information about security vulnerability resolutions to government agencies and the public

    NIST is leading this government-wide effort in coordination with other agencies, including the Office of Management and Budget (OMB), the Department of Defense (DoD), and the Department of Homeland Security (DHS).

    A public comment period for this document is open through August 9, 2021. See the publication details for a copy of the draft publication and instructions for submitting comments using the comment template provided.

    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------


  • 2.  RE: Draft NIST Special Publication (SP) 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines

    Posted Jul 26, 2021 10:06:00 AM
    I'm working on the CSA response here: https://github.com/cloudsecurityalliance/uvi-project-plans/blob/main/comments-on-docs/Comments-on-NIST-SP-800-216.md please feel free to comment here/in GitHub with any sections/text and your concerns so I can add it in. 

    My overall impression: this is a good step forwards but lacks a lot of details/guidance that will result in a lot of replicated work/inconsistent policies that will make dealing with the government difficult. There is definitely more work required around developing best practices/policy/etc, for example the quoted ISO standards (29147 and 30111) are very high level.

    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]
    ------------------------------