\
Jurisdiction
Canada
Region
North America
Requirement
Recommended
Policy
Cyber Security Self-Assessment
Applies to
Federally regulated financial institutions (FRFIs) in Canada
Provision
Item 42
Description

The FRFI has identified reputable sources of vulnerability information, and subscribes to recognized and authoritative vulnerability reporting services.

Date
August 2021
Organization
Office of the Superintendent of Financial Institutions (OSFI)
View source
Jurisdiction
United States
Region
North America
Requirement
Required *Coming Soon
Policy
Cybersecurity in the Marine Transportation System
Applies to
U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations
Provision
Sec. 101.650(e)(3)(ii)
Description

(3) Routine system maintenance. Each owner or operator or a designated CySO of a vessel, facility, or OCS facility must ensure the following measures for routine system maintenance are in place and documented in Section 6 of the Cybersecurity Plan: 

(i) Ensure patching or implementation of documented compensating controls for all KEVs in critical IT or OT systems, without delay; 

(ii) Maintain a method to receive and act on publicly submitted vulnerabilities; 

(iii) Maintain a method to share threat and vulnerability information with external stakeholders; 

(iv) Ensure there are no exploitable channels directly exposed to internet-accessible systems; 

(v) Ensure no OT is connected to the publicly accessible internet unless explicitly required for operation, and verify that, for any remotely accessible OT system, there is a documented justification; and 

(vi) Conduct vulnerability scans as specified in the Cybersecurity Plan.

Date
TBD
Organization
U.S. Coast Guard
View source
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
Cyber Related Sanctions FAQs
Applies to
Reporters of vulnerabilities / good faith security researchers
Provision
FAQ 448
Description
Question: I conduct cyber-related activities for legitimate educational, network defense, or research purposes only. Am I vulnerable to the application of sanctions under this authority for these activities?  Answer: The measures in this order are directed against significant malicious cyber-enabled activities that have the purpose or effect of causing specific enumerated harms, and are not designed to prevent or interfere with legitimate cyber-enabled academic, business, or non-profit activities. The U.S. government supports efforts by researchers, cybersecurity experts, and network defense specialists to identify, respond to, and repair vulnerabilities that could be exploited by malicious actors. Similarly, these measures are not intended to target persons engaged in legitimate activities to ensure and promote the security of information systems, such as penetration testing and other methodologies, or to prevent or interfere with legitimate cyber-enabled activities undertaken to further academic research or commercial innovation as part of computer security-oriented conventions, competitions, or similar “good faith” events.
Date
April 2015
Organization
Office of Foreign Assets Control (OFAC)
View source
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
Vulnerability Disclosure Attitudes and Actions
Applies to
Organizations
Provision
N/A
Description
In September 2015, the National Telecommunications and Information Administration (NTIA) convened a multi-stakeholder process to investigate software vulnerability disclosure and handling practices. The process was open to any interested participant and included members from business, government, and civil society. Members organized into three working groups to study diferent aspects of vulnerability disclosure and handling. This report is a product of the “Awareness and Adoption Working Group,” which focused on increasing understanding and use of best practices.
Date
December 2016
Organization
National Telecommunications and Information Administration
View source
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
“Early Stage” Coordinated Vulnerability Disclosure Template Version 1.1
Applies to
Companies and organizations, especially those in "safety-critical industries" (e.g., automotive, medical devices, etc.)
Provision
N/A
Description
In 2016, NTIA convened "a multistakeholder process to address principles and practices around security researcher disclosure." The NTIA Safety Working Group produced this document to outline the initial steps an organization can take to improve collaboration withing the context of vulnerability disclosure and remediation. "Much of the discussion targeted the safety-critical industry, in which the potential for harm directly impacts publci safety or causes physical damage (e.g., automobiles or medical devices), but the lessons are easily adaptable by any organization that builds or maintains its own software systems." NTIA's document is broken into the following sections: 1. Introduction: Disclosure and Safety 2. Disclosure Policy: First Steps 3. Template Disclosure Policy 4. Sample Vulnerability Disclosure Policy Template 5. Issues to Consider in Writing a Disclosure Policy
Date
December 2016
Organization
National Telecommunications and Information Administration
View source
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
A Framework for a Vulnerability Disclosure Program for Online Systems
Applies to
Organizations
Provision
N/A
Description
A framework to assist organizations interested in instituting a formal vulnerability disclosure program. It provides a rubric of considerations that may inform the content of vulnerability disclosure policies. The framework does not dictate the form of or objectives for vulnerability disclosure programs; different organizations may have differing goals and priorities for their vulnerability disclosure programs. Instead, the framework outlines a process for designing a vulnerability disclosure program that will clearly describe authorized vulnerability disclosure and discovery conduct, thereby substantially reducing the likelihood that such described activities will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act. The framework consists of four steps: 1. Design the vulnerability disclosure program2. Plan for administering the vulnerability disclosure program3. Draft a vulnerability disclosure policy that accurately and unambiguously captures the organization’s intent4. Implement the vulnerability disclosure program
Date
July 2017
Organization
U.S. Department of Justice
View source
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
FDA Postmarket Guidance for Medical Devices
Applies to
Medical device manufacturers
Provision
Sec. V(B), VII
Description

Section V(B): Manufacturers should implement "Cybersecurity Risk Management Programs" that include "adopting a coordinated vulnerability disclosure policy and practice." Since the rule was published in 2016, it suggests that manufacturers make use of the ISO/IEC 29147:2014 (Information Technology - Security Techniques - Vulnerability Disclosure) Standard, which has since been replaced by a new version in 2018. 

Section VII: Manufacturers should "adopt a coordinated vulnerability disclosure policy and practice that includes acknowledging receipt of the initial vulnerability report to the vulnerability submitter

Date
December 2016
Organization
FDA
View source
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
NIST Cybersecurity Framework 2.0
Applies to
All organizations that use the CSF
Provision
ID.RA.08
Description
"Processes for receiving, analyzing, and responding to vulnerability disclosures are established" within an organization.
Date
February 2024
Organization
NIST
View source
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
NIST SP 800-218, Secure Software Development Framework
Applies to
Software developers
Provision
RV.1.3
Description
RV.1.3: Have a policy that addresses vulnerability disclosure and remediation, and implement the roles, responsibilities, and processes needed to support that policy.
Date
February 2022
Organization
NIST
View source
Subscribe to North America