DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base

The U.S. Department of Defense (DoD) Cyber Crime Center (DC3) and Defense Counterintelligence and Security Agency (DCSA) announce the strategic partnership to establish a fully operational Vulnerability Disclosure Program (VDP) supporting the Defense Industrial Base (DIB), known as DIB-VDP. The free and voluntary DIB-VDP aims to bring vulnerability disclosure capabilities to the DIB, and the strategic alignment will further enhance DC3 and DCSA support to the DIB in the vulnerability, analytical, cybersecurity, and cyber forensics domains. 

Program efforts align to address national-level cybersecurity strategies and policies, such as the 2022 National Defense Strategy, the 2023 National Cybersecurity Strategy, and the 2024 Defense Industrial Base Cybersecurity Strategy.

Companies working in support of the DIB, and within 32 CFR pt. 236, are eligible to participate in this voluntary program. Program participants will be onboarded and integrated into this cost-free program which will allow for ethical researcher analysis and vulnerability threat assessment on those participants’ voluntarily identified assets and platforms.

In 2022, in partnership with the HackerOne crowdsourced ethical researcher community, DC3 and DCSA conducted a DIB-VDP 12-month pilot that leveraged the trusted and symbiotic relationship of the DC3 DoD-Defense Industrial Base Collaborative Information Sharing Environment and the DIB. The pilot was born out of the desire to deliver the years of progressive lessons learned by the DoD VDP to DIB companies.

Through operational agreements and strategic partnerships, DC3 and the DCSA routinely collaborate on ways to share information security data. DoD VDP vulnerability reporting is shared with DoD system owners on the Joint Force Headquarters-DoD Information Networks via the Vulnerability Report Management Network (VRMN). 

A parallel system, DIB VRMN, employs the same efficient and automated approach while ensuring that DIB data is tracked and held separately from DoD data. Implementation of a DIB-VDP is the most effective means of sharing DIB-sourced vulnerabilities with DIB companies. It promotes timely mitigation of identified vulnerabilities on DIB company internet-facing information systems. This enables vulnerability remediation in DIB companies at a much earlier point than in traditional vulnerability management efforts.

DCSA brings to the DIB-VDP their established relationship with Defense Industrial Base companies and oversight to approximately 12,500 cleared companies under the National Industrial Security Program as eligible participants for the program.

Through this program and partnership, DC3 seeks to build upon and improve the combination of policies, requirements, services, pilots, public-private collaboration, and interagency efforts to combat the complex, ever-evolving cyber threats facing the DIB.

Industrial Cyber News Desk

Industrial Cyber News Desk