CISA posts Vulnerability Disclosure Platform RFI

On December 20, the General Services Administration (GSA), Federal Acquisition Service (FAS), Region issued a Request for Information (RFI) on behalf of the Cybersecurity and Infrastructure Security Agency (CISA). Responses are due by 12:00 p.m. Mountain on January 15.

The purpose of this RFI is to assist the Government in conducting market research focused on identifying potential vendors as well as to gain technical feedback from industry on the Government’s centralized Vulnerability Disclosure Platform requirement. This information will be used for market research only. The Government is not obligated to release a future solicitation based on this market research.  

Most federal agencies currently lack a formal mechanism to receive information from third parties about potential security vulnerabilities on their systems. Many agencies have no defined strategy for handling reports about such issues shared by outside parties. Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith are authorized.  CISA recently released draft Binding Operative Directive 20-01, which identifies the requirement that each Federal Civilian Executive Branch (FCEB) agency develop and publish a vulnerability disclosure policy and maintain supporting handling procedures for identified vulnerabilities.  Vulnerability disclosure policies enhance the resiliency of the government’s online services by encouraging meaningful collaboration between federal agencies and the public.  The subsequent sections describe the concept a vulnerability disclosure platform that could support Agencies with the handling of submitted vulnerabilities, to be managed centrally by the CISA Cybersecurity Quality Services Management Office (QSMO), based on government-wide standards, policy, and business requirements.

The intent of the vulnerability disclosure platform is to provide a CISA managed central platform to facilitate the submission and tracking of vulnerabilities discovered in internet-accessible information systems of the FCEB agencies, including Independent Agencies and all Boards, Commissions, and Committees.  Participation in the vulnerability disclosure platform is envisioned to be voluntary for FECB agencies, and therefore the platform needs to scale to support a potentially varying number of agencies at any time.   The government desires that the vulnerability disclosure platform be a software-as-a-service web application that serves as the primary point of entry for vulnerability reporters to alert the government of potential issues on federal information systems for those agencies that participate in the platform.  Remediation of identified vulnerabilities on federal information systems is intended to be the responsibility of the appropriate hosting agencies, not CISA or the vulnerability disclosure platform service provider.

Full information is available here.

Source: SAM