---

Contents

National Infrastructure Advisory Council
Vulnerability Disclosure Framework
      Vulnerability Disclosure Framework Conclusions
      Vulnerability Disclosure Framework Guidelines
      Vulnerability Disclosure Framework Recommendations to the President
Reasons for a Vulnerability Disclosure Framework
Additional National Infrastructure Advisory Council Reports and Recommendations
References

---

National Infrastructure Advisory Council

The National Infrastructure Advisory Council (NIAC) advises the President of the United States, through the Secretary of Homeland Security, on the security of the country's critical infrastructure and related information systems. Council members are leaders of corporations, institutions, and non-federal governments who have expertise and responsibilities related to the charter of the NIAC.

Critical infrastructure refers to systems and services that support operation of the society and economy, such as utility lines and transportation systems. Without control and use of these fundamental systems, other functions are hindered or become unavailable.

Vulnerability Disclosure Framework

The NIAC's charter includes finding ways that the public and private sectors can work together to help protect critical infrastructures and related information systems. In February 2004, the NIAC presented the Vulnerability Disclosure Framework—a report that addresses some of these information security issues.

The Vulnerability Disclosure Framework discusses effective vulnerability management methods that can help secure information systems. Stakeholders include vendors, end users, individuals or organizations that discover vulnerabilities, and individuals or organizations that coordinate vendor responses to vulnerability information.

Vulnerability Disclosure Framework Conclusions

The Vulnerability Disclosure Framework offers six conclusions:

• Vendors and discoverers of vulnerabilities have the same goal
• Consistent processes are important for vulnerability management across stakeholders
• Compatible encryption schemes are needed for communication about vulnerabilities
• A shared threat-scoring method can provide a basis for more consistent viewpoints of vulnerabilities across stakeholders
• Information sharing about systems security is vital
• Public policy regarding information security should be reviewed in terms of supporting secure information sharing without liability concerns

Vulnerability Disclosure Framework Guidelines

The Vulnerability Disclosure Framework provides guidelines for the creation of a flexible framework through which stakeholders can manage vulnerability information. Topics include methods for research and verification, protection of information from public disclosure before release of the final public advisory, communication of involved parties during vulnerability discovery and fix development, and time lines and considerations for public communication of vulnerability information.

Vulnerability Disclosure Framework Recommendations to the President

The Vulnerability Disclosure Framework also recommends steps that the U.S. government can take to address the issues discussed in the report. The following points, quoted from the NIAC document, are explained further in the report:

• Support development of a common vulnerability management architecture
• Protect vulnerability information and ongoing investigations
• Promote universal use of compatible encryption
• Conduct a regulatory framework review
• Support robust voluntary information sharing
• Support a robust infrastructure for international coordination
• Promote and fund advanced university and industry security research and education

Reasons for a Vulnerability Disclosure Framework

In outlining a framework for managing vulnerability information, the NIAC has considered many facets of the vulnerability disclosure issue. The council's report provides a thorough overview of the interdependencies of stakeholder roles and the issues present at each stage of the vulnerability lifecycle. The conclusions, guidelines, and recommendations in the Vulnerability Disclosure Framework suggest ways in which all parties can move toward increased voluntary information sharing and, ultimately, toward increased security in information systems.

Without such a vision, stakeholders may remain somewhat isolated in their work. Because the systems that need to be protected are interconnected—and attacks are increasingly automated and fast acting—this approach has limited value. Coordinated efforts that meet the needs of all stakeholders can produce gains in the speed and efficiency with which vulnerabilities are mitigated or corrected. Establishing the systems and performing the regulatory reviews recommended in the Vulnerability Disclosure Framework are important first steps toward these coordinated efforts.

Additional National Infrastructure Advisory Council Reports and Recommendations

Additional reports and recommendations are available on the NIAC page of the U.S. Department of Homeland Security website. Of particular interest is the Common Vulnerability Scoring System, which is hosted by the Forum of Incident Response and Security Teams (FIRST).

References

Common Vulnerability Scoring System (CVSS)
http://www.dhs.gov/xlibrary/assets/niac/NIAC_CVSS_FinalRpt_12-2-04.pdf

FIRST CVSS
http://www.first.org/cvss/

National Infrastructure Advisory Council
http://www.dhs.gov/niac

Vulnerability Disclosure Framework
http://www.dhs.gov/xlibrary/assets/vdwgreport.pdf

 

---

This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.

---

Back to Top