Request for Comments on Improving Vulnerability Identification, Management, and Remediation

AGENCY:

Office of Management and Budget.

ACTION:

Notice of public comment period.

SUMMARY:

The Office of Management and Budget (OMB) is seeking public comment on a draft memorandum titled, “Improving Vulnerability Identification, Management, and Remediation.”

DATES:

The 30-day public comment period on the draft memorandum begins on the day it is published in the Federal Register and ends 30 days after date of publication in the Federal Register.

ADDRESSES:

Interested parties should provide comments via electronic mail to ofcio@omb.eop.gov. The Office of Management and Budget is located at 725 17th Street NW, Washington, DC 20503. No physical copies will be accepted.

FOR FURTHER INFORMATION CONTACT:

Matthew T. Cornelius, OMB, at 202.881.7386 or matthew.t.cornelius@omb.eop.gov.

SUPPLEMENTARY INFORMATION:

The Office of Management and Budget (OMB) is proposing guidance to Federal agencies on the publication and implementation of Vulnerability Disclosure Policies (VDPs). VDPs, which are processes for the intake and addressing of security vulnerabilities uncovered by security researchers and the public, are among the most effective methods for obtaining new insights regarding security vulnerability information. They also provide protection for those who uncover these vulnerabilities by differentiating between acceptable and unacceptable means of gathering security information (also known as “authorizing good faith security research”). VDPs make it easier for the security research community to report vulnerabilities to appropriate agency contacts, who can then use the reports to address vulnerabilities of which they may not have been aware.

Authority for this notice is granted under the Federal Information Security Modernization Act of 2014 (44 U.S.C. 3553-3554).