The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is conducting market research for potential vendors and industry feedback on a governmentwide vulnerability disclosure platform (VDP).
A Dec. 20 request for information (RFI) details CISA’s interest in a software-as-a-service web application to report vulnerabilities and alert Federal information systems of potential issues. The agency foresees a central platform to manage the submission and tracking of vulnerabilities, but participating agencies would be individually responsible for remediating concerns.
“Most federal agencies currently lack a formal mechanism to receive information from third parties about potential security vulnerabilities on their systems,” the agency explains in the RFI. “Vulnerability disclosure policies enhance the resiliency of the government’s online services by encouraging meaningful collaboration between federal agencies and the public.”
A draft of Binding Operative Directive 20-01, released by CISA in November, requires Federal agencies to establish vulnerability disclosure policies for all internet-connected systems. A VDP, such as the one described in the RFI, would support the directive with a centralized, CISA-managed system for vulnerability disclosures.
Additionally, CISA is seeking information on VDPs with the ability to screen for errors, allow for communication between the reporter and the agency, provide updates on the status of the reports, and prepare metrics around the reports.
CISA is accepting responses through Jan. 15. Responses will be used for market research only.