Posted on Feb 28, 2018
In late 2017, the government announced the Vulnerabilities Equities Policy and Process by which they decide to disclose software flaws with the potential of turning into cyberweapons, would be made public. The process had been described as was once “opaque, fueling suspicion that it cloaked a stockpile of software flaws that the National Security Agency was hoarding to go after foreign targets but that put Americans’ cybersecurity at risk.” While the rules by which the government comes to a decision on disclosing the information had not changed, the process is now less opaque to those outside of the government.
The process details considerations of threat, vulnerability, impact, and mitigation. Additionally, the public is able to see that part of the process includes a monthly review of newly discovered vulnerabilities by the NSA, CIA, FBI, Treasury, Commerce, and State Departments, as well as the Office of Management and Budget.
A few points of discussion in the now public process have been:
As the government practices transparency and discloses vulnerabilities it discovers, the cybersecurity risk ecosystem stands to benefit-- as does the public.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.