As the Department of Defense seeks to help strengthen the defense industrial base's cybersecurity posture, it has created a new official program that allows independent white-hat hackers to discover and analyze vulnerabilities in companies and their systems.
The Defense Cybercrime Center (DC3) announced Friday that it is partnering with the Defense Counterintelligence and Security Agency to launch a fully operational Defense Industrial Base Vulnerability Disclosure Program (also known as DIB-VDP). Participation is free and voluntary for companies.
The initiative aims to bring vulnerability disclosure capabilities to the DIB, and the strategic collaboration will further strengthen DC3 and DCSA's support to the DIB in the areas of vulnerabilities, analytics, cybersecurity, and cyber forensics. ” states the press release.
The program's full launch comes after the two organizations collaborated with cybersecurity firm HackerOne on a year-long pilot, which ended in 2022.
During the pilot, contractors were asked to accept vulnerability disclosures so that independent hackers could seek out, document, and report security vulnerabilities to companies and the Department of Defense.
The official program will allow companies to voluntarily submit assets and platforms for “ethical research analysis and vulnerability threat assessment,” according to the release.
In recent years, the Department of Defense has sought to protect the defense industrial base from adversaries targeting critical system information through cyberattacks and intrusions. Following an update to the Cybersecurity Maturity Model Certification 2.0 proposed rule in December, the department released the Defense Industrial Base Cybersecurity Strategy in March to work with businesses of all sizes to strengthen their digital resilience. was outlined.
The new DIB-VDP aims to be part of that effort by building on lessons learned from pilots and the department's own vulnerability disclosure program and passing those insights on to military contractors.
“Implementing DIB-VDP is the most effective means of sharing DIB-induced vulnerabilities with DIB companies. ”, the release states. “This allows DIB companies to remediate vulnerabilities much earlier than traditional vulnerability management efforts.”
