National Infrastructure Advisory Council
Vulnerability Disclosure Framework
Vulnerability Disclosure Framework Conclusions
Vulnerability Disclosure Framework Guidelines
Vulnerability Disclosure Framework Recommendations to the President
Reasons for a Vulnerability Disclosure Framework
Additional National Infrastructure Advisory Council Reports and Recommendations
References
The National Infrastructure Advisory Council (NIAC) advises the President of the United States, through the Secretary of Homeland Security, on the security of the country's critical infrastructure and related information systems. Council members are leaders of corporations, institutions, and non-federal governments who have expertise and responsibilities related to the charter of the NIAC.
Critical infrastructure refers to systems and services that support operation of the society and economy, such as utility lines and transportation systems. Without control and use of these fundamental systems, other functions are hindered or become unavailable.
The NIAC's charter includes finding ways that the public and private sectors can work together to help protect critical infrastructures and related information systems. In February 2004, the NIAC presented the Vulnerability Disclosure Framework—a report that addresses some of these information security issues.
The Vulnerability Disclosure Framework discusses effective vulnerability management methods that can help secure information systems. Stakeholders include vendors, end users, individuals or organizations that discover vulnerabilities, and individuals or organizations that coordinate vendor responses to vulnerability information.
The Vulnerability Disclosure Framework offers six conclusions:
The Vulnerability Disclosure Framework provides guidelines for the creation of a flexible framework through which stakeholders can manage vulnerability information. Topics include methods for research and verification, protection of information from public disclosure before release of the final public advisory, communication of involved parties during vulnerability discovery and fix development, and time lines and considerations for public communication of vulnerability information.
The Vulnerability Disclosure Framework also recommends steps that the U.S. government can take to address the issues discussed in the report. The following points, quoted from the NIAC document, are explained further in the report:
In outlining a framework for managing vulnerability information, the NIAC has considered many facets of the vulnerability disclosure issue. The council's report provides a thorough overview of the interdependencies of stakeholder roles and the issues present at each stage of the vulnerability lifecycle. The conclusions, guidelines, and recommendations in the Vulnerability Disclosure Framework suggest ways in which all parties can move toward increased voluntary information sharing and, ultimately, toward increased security in information systems.
Without such a vision, stakeholders may remain somewhat isolated in their work. Because the systems that need to be protected are interconnected—and attacks are increasingly automated and fast acting—this approach has limited value. Coordinated efforts that meet the needs of all stakeholders can produce gains in the speed and efficiency with which vulnerabilities are mitigated or corrected. Establishing the systems and performing the regulatory reviews recommended in the Vulnerability Disclosure Framework are important first steps toward these coordinated efforts.
Additional reports and recommendations are available on the NIAC page of the U.S. Department of Homeland Security website. Of particular interest is the Common Vulnerability Scoring System, which is hosted by the Forum of Incident Response and Security Teams (FIRST).
Common Vulnerability Scoring System (CVSS)
http://www.dhs.gov/xlibrary/assets/niac/NIAC_CVSS_FinalRpt_12-2-04.pdf
FIRST CVSS
http://www.first.org/cvss/
National Infrastructure Advisory Council
http://www.dhs.gov/niac
Vulnerability Disclosure Framework
http://www.dhs.gov/xlibrary/assets/vdwgreport.pdf
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.