Vulnerabilities are discovered in a variety of sources. Software developers may find security bugs in already-deployed code. Security researchers and penetration testers may find vulnerabilities by scanning or manually testing software and accessible systems. Effectively identifying, triaging, remediating, and reporting vulnerabilities are central pillars of the EO. In its discussion of Zero Trust Architecture, the EO recognizes that the discovery of vulnerabilities is inevitable, and federal agencies should focus on managing those vulnerabilities efficiently and comprehensively.
Federal agencies should adhere to NIST’s existing Vulnerability Disclosure Program guidance in SP 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines, which addresses reporting, coordinating, publishing, and receiving information about security vulnerabilities. Agencies should require their software suppliers to participate in a Vulnerability Disclosure Program or monitor them as potential risks. Agencies should also require a range of supplier activities and capabilities that enable the comprehensive and timely management of vulnerabilities. For example, agencies may require that suppliers disclose whether provided software components are vulnerable to exploitation through a vulnerability advisory report in an automated and machine-readable format (e.g., Vulnerability Exploitability eXchange [VEX]). Agencies should be able to accept vulnerability advisories in an automated format.
Per [ISO/IEC 29147], the elements of a vulnerability advisory report include:
-----------------
[1] GitLab. (2021). NIST Position Paper: Area #5.
[2] Carnegie Mellon University Software Engineering Institute. (2021). CERT/CC Comments on Standards and Guidelines to Enhance Software Supply Chain Security (Questions 2-5).
[3] Synopsys. (2021). Guidelines for software integrity chains and provenance.
Content: