Saturday, May 22, 2021

Public Comments on CISA Vulnerability Discovery ICR Revision – 5-22-21

On March 19th, 2021 DHS published a 60-day information collection request (ICR) notice to support the expansion of their Vulnerability Discovery program (VDP) to other agencies in the federal government. The comment period closed on the ICR notice this week. Only one additional comment was received beyond the two I reported on over a month ago. The last comment comes from CERT/CC at the Carnegie Mellon University's Software Engineering Institute.

CERT/CC’s comment contains a very good description of the type of information needed in an actionable vulnerability report.

CISA will not evaluate the comments received and prepare their 30-day ICR notice. I suspect that there will be only a relatively short delay until that notice is published in the Federal Register. Typically this takes a couple of months, but has been known to take years on more controversial ICRs.

No comments:

/* Use this with templates/template-twocol.html */