Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Software Security in Supply Chains: Vulnerability Management

Vulnerabilities are discovered in a variety of sources. Software developers may find security bugs in already-deployed code. Security researchers and penetration testers may find vulnerabilities by scanning or manually testing software and accessible systems. Effectively identifying, triaging, remediating, and reporting vulnerabilities are central pillars of the EO. In its discussion of Zero Trust Architecture, the EO recognizes that the discovery of vulnerabilities is inevitable, and federal agencies should focus on managing those vulnerabilities efficiently and comprehensively.

Federal agencies should adhere to NIST’s existing Vulnerability Disclosure Program guidance in SP 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines, which addresses reporting, coordinating, publishing, and receiving information about security vulnerabilities. Agencies should require their software suppliers to participate in a Vulnerability Disclosure Program or monitor them as potential risks. Agencies should also require a range of supplier activities and capabilities that enable the comprehensive and timely management of vulnerabilities. For example, agencies may require that suppliers disclose whether provided software components are vulnerable to exploitation through a vulnerability advisory report in an automated and machine-readable format (e.g., Vulnerability Exploitability eXchange [VEX]). Agencies should be able to accept vulnerability advisories in an automated format. 

Per [ISO/IEC 29147], the elements of a vulnerability advisory report include: 

  • Identifier
  • Date/time
  • Title
  • Overview
  • List of affected products
  • Description of intended audience
  • Description of the vulnerability
  • Impact
  • Severity
  • Remediation
  • References
  • Discovery credit
  • Contact information
  • Revision history
  • Terms of use

Foundational Capabilities

Sustaining Capabilities

  • Acquiring entities should engage third-party suppliers who participate in coordinated vulnerability disclosure (CVD) programs to support the timely remediation of vulnerabilities.[2]
  • Acquiring entities should comprehensively integrate SBOMs, vulnerability databases, and other reporting mechanisms to ensure that they rapidly receive notifications of recently released vulnerabilities.

Enhancing Capabilities

  • Acquiring entities should prioritize third-party suppliers who staff defined Product Security Incident Response Teams (PSIRTs) and/or internal research teams that are dedicated to the identification, triage, and remediation of vulnerabilities across the supplier’s product and service suite in support of SSDF V1.1 Prepare the Organization (PO) and RV practices.[3]
  • Where possible and appropriate, acquiring entities should require a vulnerability advisory report in an automated and machine-readable format (e.g., VEX).
  • Acquiring entities should prioritize suppliers who utilize a formal bug bounty program to incentivize the discovery and proactive remediation of vulnerabilities before adversaries can utilize them, where feasible and legally appropriate.

-----------------

[2] Carnegie Mellon University Software Engineering Institute. (2021). CERT/CC Comments on Standards and Guidelines to Enhance Software Supply Chain Security (Questions 2-5)


Content:

Created May 3, 2022, Updated November 1, 2024