I believe CISA Director Jen Easterly is genuine and sincere in her concern for consumers when she talks about the need for “radical transparency”, which you can see during this presentation at CMU. She sites three driving principles:
To help crystalize this model, at CISA, we’re working to lay out a set of core principles for technology manufacturers to build product safety into their processes to design, implement, configure, ship, and maintain their products. Let me highlight three of them here:
First, the burden of safety should never fall solely upon the customer. Technology manufacturers must take ownership of the security outcomes for their customers.
Second, technology manufacturers should embrace radical transparency to disclose and ultimately help us better understand the scope of our consumer safety challenges, as well as a commitment to accountability for the products they bring to market.
Third, the leaders of technology manufacturers should explicitly focus on building safe products, publishing a roadmap that lays out the company's plan for how products will be developed and updated to be both secure-by-design and secure-by-default.
Vulnerability Disclosure Reporting (VDR) is one of the most important functions that manufacturers must perform in order to help consumers prevent from becoming the victim of a cyber-attack. The International Vulnerability Disclosure Reporting Standard, IEC 29147:2018 states “Vulnerability disclosure enables both the remediation of vulnerabilities and better-informed risk decisions. Vulnerability disclosure is a critical element of the support, maintenance, and operation of any product or service that is exposed to active threats. This includes practically any product or service that uses open networks such as the Internet. A vulnerability disclosure capability is an essential part of the development, acquisition, operation, and support of all products and services. Operating without vulnerability disclosure capability puts users at increased risk.”
The National Institute of Standards and Technology (NIST) emphasizes the importance of vulnerability disclosure reporting to help consumers manage software risk. The National Cybersecurity Strategy (NCS) also stresses the importance of helping consumers manage risks by “rebalancing” software risks between consumers and software/IoT product manufacturers.
It would seem that vulnerability disclosure reporting, based on all of the above information, would be a high priority goal in CISA that is needed sooner, rather than later. Which raises some very serious questions. Why has CISA scheduled Vulnerability Disclosure Reporting for Q4 FY25 (September 2025) – see initiative 3.3.3 in the NCS Implementation Plan posted recently? There seems to be a lack of urgency in this response, when you consider the number of successful cyber-attacks that are occurring AND NIST guidance for vulnerability disclosure reporting is readily available NOW. So, what’s the hold-up?
We know that NIST already provides standards and guidelines for vulnerability disclosure reporting that are implementable now. Why is CISA waiting until September 2025 to implement this NIST capability that exists today? The people responsible for Vulnerability Reporting in CISA appear to have their own agenda, which does not align with the sense of urgency that Director Easterly has expressed in this important need to provide consumers with radical transparency into the trustworthiness of their products.
It seems that CISA still has a long way to go to get the entire CISA ship headed in the same direction. Madam Director, you have a big job ahead. Many CISA initiatives are doing a good job prioritizing cybersecurity protections for consumers, i.e. Shields Up and the ICT_SCRM Task Force, but it seems the people responsible for Vulnerability Reporting in CISA, haven’t received the message that this is an urgent matter and deserves immediate attention. "CISA management is now asking questions about what they’re getting from their 19-month (so far) commitment to the VEX working group". It may be time to skip a few of the Cybersecurity conferences, like Blackhat and Defcon to focus on delivering real cybersecurity protections to consumers and SBOM vulnerability disclosure reports to software consumers, that are suffering with ransomware attacks, shutting hospitals and costing Billions of dollars annually and bring the Vulnerability Disclosure Reporting implementation milestone (NCSIP 3.3.3) into early FY 24. It should not be difficult for CISA to achieve this goal, NIST already has Vulnerability Disclosure Reporting (VDR) standards and guidelines, it’s just a matter of implementation.