The National Institute of Standards and Technology (NIST) on May 24, released the final guideline version on how agencies should manage their vulnerability disclosure for information systems within the Federal government.
The publication titled “NIST Special Publication 800-216” gives a clear indication of how Federal agencies must move forward in a unified direction to best protect and manage their digital assets when reporting or assessing vulnerabilities.
“In order to define vulnerability disclosure guidelines, this document describes a framework for the U.S. Government to establish and maintain a unified and flexible collection and management process for vulnerability disclosures,” stated the assessment.
The new guideline comes after a government-wide effort led by the Office of Management and Budget (OMB), the Department of Defense (DoD), and the Department of Homeland Security (DHS)
The framework also indicates that the new guidelines can be utilized for “all levels, from a central oversight body down to the individual program offices,” as well as being able to be applied to “all government-developed, commercial, and open-source software used by government systems,” according to the guideline.
Ultimately, the guideline focuses on providing a framework for Federal agencies in three of the following areas.
- Receiving information about a potential security vulnerability in a Federal information system;
- Coordinating with stakeholders;
- Resolving and disseminating information about such security vulnerabilities.
“These guidelines focus on assessing risk from identified vulnerabilities and encourage all organizations throughout the Federal Government to collect and evaluate vulnerability disclosures for maximum communication and accountability,” states the guideline.