Vulnerabilities are discovered in a variety of sources. Developers of software may find security bugs in already-deployed code. Security researchers and penetration testers may find vulnerabilities by scanning or manually testing software and accessible systems. Effectively identifying, triaging, remediating, and reporting vulnerabilities is a central pillar of the EO. In its discussion of Zero Trust architecture, the EO recognizes that the discovery of vulnerabilities is inevitable, and federal agencies’ strategies should focus on how to manage those vulnerabilities efficiently and comprehensively.
Agencies should adhere to NIST’s existing Vulnerability Disclosure Program guidance in Draft NIST SP 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines, which addresses reporting, coordinating, publishing, and receiving information about security vulnerabilities. They can also impose a range of recommended activities and capabilities from suppliers to enable more comprehensive and timely management of vulnerabilities.
[1] GitLab. (2021). NIST Position Paper: Area #5.
[2] Carnegie Mellon University Software Engineering Institute. (2021). CERT/CC Comments on Standards and Guidelines to Enhance Software Supply Chain Security (Questions 2-5).
[3] Synopsys. (2021). Guidelines for software integrity chains and provenance.
Content: