On December 20, the General Services Administration (GSA),
Federal Acquisition Service (FAS), Region issued a Request for Information
(RFI) on behalf of the Cybersecurity and Infrastructure Security Agency (CISA).
Responses are due by 12:00 p.m. Mountain on January 15.
The purpose of this RFI is to assist the Government in
conducting market research focused on identifying potential vendors as well as
to gain technical feedback from industry on the Government’s centralized
Vulnerability Disclosure Platform requirement. This information will be used
for market research only. The Government is
not obligated to release a future solicitation based on this market research.
Most federal agencies currently lack a formal mechanism to
receive information from third parties about potential security vulnerabilities
on their systems. Many agencies have no defined strategy for handling reports
about such issues shared by outside parties. Only a few agencies have clearly
stated that those who disclose vulnerabilities in good faith are
authorized. CISA recently released draft
Binding Operative Directive 20-01, which identifies the requirement that each
Federal Civilian Executive Branch (FCEB) agency develop and publish a
vulnerability disclosure policy and maintain supporting handling procedures for
identified vulnerabilities.
Vulnerability disclosure policies enhance the resiliency of the
government’s online services by encouraging meaningful collaboration between
federal agencies and the public. The
subsequent sections describe the concept a vulnerability disclosure platform
that could support Agencies with the handling of submitted vulnerabilities, to
be managed centrally by the CISA Cybersecurity Quality Services Management
Office (QSMO), based on government-wide standards, policy, and business
requirements.
The intent of the vulnerability disclosure platform is to provide a CISA managed central platform to facilitate the submission and tracking of vulnerabilities discovered in internet-accessible information systems of the FCEB agencies, including Independent Agencies and all Boards, Commissions, and Committees. Participation in the vulnerability disclosure platform is envisioned to be voluntary for FECB agencies, and therefore the platform needs to scale to support a potentially varying number of agencies at any time. The government desires that the vulnerability disclosure platform be a software-as-a-service web application that serves as the primary point of entry for vulnerability reporters to alert the government of potential issues on federal information systems for those agencies that participate in the platform. Remediation of identified vulnerabilities on federal information systems is intended to be the responsibility of the appropriate hosting agencies, not CISA or the vulnerability disclosure platform service provider.
Full information is available here.
Source: SAM
By 
