DOD launching fully operational vulnerability disclosure program for defense industrial base
As the Pentagon looks to assist the defense industrial base in enhancing its cybersecurity posture, the department has created a new official program that allows for independent white-hat hackers to find and analyze vulnerabilities in companies and their systems.
The Defense Department’s Cyber Crime Center (DC3) announced Friday that it is partnering with the Defense Counterintelligence and Security Agency to set up a fully operational Defense Industrial Base-Vulnerability Disclosure Program, also known as DIB-VDP. Participation is free and voluntary for companies.
The initiative looks to “bring vulnerability disclosure capabilities to the DIB, and the strategic alignment will further enhance DC3 and DCSA support to the DIB in the vulnerability, analytical, cybersecurity, and cyber forensics domains,” a press release stated.
The fully operational program comes after the two organizations worked with cybersecurity company HackerOne on a yearlong pilot, which concluded in 2022.
During the pilot, contractors were asked to accept vulnerability disclosures so that independent hackers could seek out, document and report security vulnerabilities to the companies and the Pentagon.
Now with an official program, firms can voluntarily submit assets and platforms for “ethical research analysis and vulnerability threat assessment,” according to the release.
In recent years, the Pentagon has sought to protect the defense industrial base from adversaries looking for critical system information via cyber attacks and intrusions. Following the updated proposed rule for Cybersecurity Maturity Model Certification 2.0 in December, the department released a Defense Industrial Base Cybersecurity Strategy in March that outlined how it will work with companies of all sizes in enhancing their digital resiliency.
The new DIB-VDP aims to be part of that effort by building on lessons learned from the pilot and the department’s own vulnerability disclosure program, and passing those insights on to military contractors.
“Implementation of a DIB-VDP is the most effective means of sharing DIB-sourced vulnerabilities with DIB companies. It promotes timely mitigation of identified vulnerabilities on DIB company internet-facing information systems,” a release stated. “This enables vulnerability remediation in DIB companies at a much earlier point than in traditional vulnerability management efforts.”
