NIST: Vulnerability Disclosure as a Requirement for Every Organization

What is the NIST Cybersecurity  Framework?

The NIST Cybersecurity Framework is a set of policies meant to help the private sector in strengthening their cybersecurity readiness and awareness. The framework is published by the National Institute of Standards and Technology (NIST), under the US Department of Commerce. 

Originally designed for critical infrastructure IT, it has since been adopted by private sector organizations as part of their risk management and cybersecurity practices. In fact, it’s estimated that half of the organizations in the US use the framework. It has also been adopted by the information security agencies of other countries, including Italy, Israel and Japan. 

Updates to the Cybersecurity Framework

Since its inception in 2014, the framework has been updated several times to keep up with evolving threats. Version 1.1 was released in 2017, which included guidance on performing self-assessments, supply chain risk management, and vulnerability disclosure.

This revision is the result of a massive industry effort. During the spring of 2017 a number of organizations, including Rapid7, Duo Security, Cisco, Symantec (and yours truly, Bugcrowd) submitted a letter in response to NIST’s call for public comment on the framework.

After the updates, the draft now includes the following:

RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)

This language is very close to that suggested in the letter’s primary recommendation: “Processes are established to receive, analyze, and respond to vulnerabilities disclosed to the organization from external sources.”

The revised framework also mentions researchers in its Tier 1 implementation (pg. 10). This is an exciting addition and one that paves the way for the whitehat community to partner with organizations.

What the NIST Update Mean for Vulnerability Assessment

These updates mark an incredibly important move by the NIST. The news comes on the heels of another year of escalating cyberattacks and a growing focus from the federal government on vulnerability disclosure.

In the 2020 report by RiskBased Security, it was reported that 36 billion records were exposed by data breaches in the first half of 2020 alone. Although the increased scope of cybersecurity threats is unfortunate, their sheer volume is causing policymakers to respond, and that’s a positive thing.  

Adding to the positive changes, the White House recently released the Federal IT Modernization Report. This report positions vulnerability disclosure as the best-practice approach to external security testing for the U.S. Government. This is another major step forward not only for the bug bounty model, but most importantly, for the security of everyone in the U.S.

2020 was undoubtedly another year of escalation in size, scope, and scale of cyberattacks. It goes without saying that this past year every single American was impacted by at least one of these breaches. 

Wrapping It Up

With policies and standards in place such as NIST, Data Security, and the Breach Notification Act, it’s now incumbent on organizations to ensure they are set up to receive vulnerability data from external parties. This practice is already becoming a standard for major private organizations.

On behalf of Bugcrowd, thank you to all of those who responded to the call and expressed support for this very positive change! To learn more about vulnerability testing read Bugcrowd’s Ultimate Guide to Pentesting