Required

Protective Security Policy Framework - Policy 11 - Robust ICT Systems

h1_admin — Wed, 09 Oct 2024 17:52:21 +0000

Protective Security Policy Framework - Policy 11 - Robust ICT Systems h1_admin Wed, 10/09/2024 - 12:52 Jurisdiction Australia Region Asia/Pacific Requirement Required Organization Australian Department of Home Affairs Provision C.6 Applies to Australian Government entities Date July 29, 2022 Description

C.6 Vulnerability Disclosure Program

60. Requirement 4 mandates that all entities must have in place a vulnerability disclosure program. This includes having a publicly available vulnerability disclosure policy supported by processes and procedures for receiving, verifying, resolving and reporting on security vulnerabilities disclosed by both internal and external sources.

61. Implementing a vulnerability disclosure program, based on responsible disclosure, can assist entities, vendors and service providers to improve the security of their products and services as it provides a way for security researchers, customers and members of the public to responsibly notify them of potential security vulnerabilities in a coordinated manner. Furthermore, following the verification and resolution of a reported security vulnerability, it can assist entities, vendors and service providers in notifying their customers of any security vulnerabilities that have been discovered in their products and services and any recommended security patches, updates or mitigations.

62. For guidance on the creation and maintenance of vulnerability disclosure programs, see the Information Security Manual and Guidelines for Software Development.

https://www.protectivesecurity.gov.au/system/files/2024-02/policy-11-robust-ict…

Act Nº 2436, Requisitos Mínímos de Segurança Cibernética Para Avaliação da Conformidade de Equipamentos CPE (Minimum Cybersecurity Requirements for Assessing Compliance of CPE (Customer Premises Equipment))

h1_admin — Thu, 29 Aug 2024 20:13:45 +0000

Act Nº 2436, Requisitos Mínímos de Segurança Cibernética Para Avaliação da Conformidade de Equipamentos CPE (Minimum Cybersecurity Requirements for Assessing Compliance of CPE (Customer Premises Equipment)) h1_admin Thu, 08/29/2024 - 15:13 Jurisdiction Brazil Region Latin America Requirement Required Organization ANATEL Provision Sections 7.1.4, 7.1.5 Applies to Vendors of Customer Premises Equipment (CPE) used by the general public to connect to ISPs Date March 10, 2024 Description

7.1.4. Item 6.1.5 - Disponibilizar um canal de comunicação que possibilite aos seus clientes, usuários finais e terceiros notificarem vulnerabilidades de segurança identificadas nos produtos.

7.1.4.1. Este canal deve: a) ser exclusivo para a notificação de vulnerabilidades; e b) implementar comunicações seguras como, por exemplo: formulário web com uso de HTTPS, e-mail criptografado com PGP ou outro esquema de chave pública (a chave pública associada ao endereço de e-mail deve ser disponibilizada para que os interessados possam, se assim desejarem, enviar mensagens cifradas).

7.1.5. Item 6.1.6 - Possuir implementado processo de Divulgação Coordenada de Vulnerabilidades baseados em boas práticas e recomendações reconhecidas internacionalmente, tais como as referências 2.6 a 2.8 deste documento.

7.1.5.1. A Política de Divulgação Coordenada de Vulnerabilidade do fornecedor deve ser publicada em sua página na Internet e deve contemplar, no mínimo, os seguintes itens: a) Os objetivos do fornecedor, suas responsabilidades, bem como o que ele espera de outras partes interessadas. b) Como deseja ser notificado (ex.: e-mail, formulário em página na Internet) e os respectivos contatos (ex.: endereço de e-mail, URL de formulário web). c) Detalhamento das opções de comunicação segura (ex.: chave PGP para e-mail, formulário seguro via HTTPS). d) Quais informações o notificador deve incluir na notificação. e) O que o notificador deve esperar após reportar uma vulnerabilidade como, por exemplo: reconhecimento do recebimento da notificação, reconhecimento da vulnerabilidade, atualizações na evolução do caso e seus respectivos prazos. f) Orientação sobre o que está dentro e fora do escopo do processo de notificação, suas limitações, etc.

7.1.4. Item 6.1.5 - Provide a communication channel that allows its customers, end users and third parties to report security vulnerabilities identified in the products.

7.1.4.1. This channel must: a) be exclusive for the notification of vulnerabilities; and b) implement secure communications such as: web form using HTTPS, email encrypted with PGP or another public key scheme (the public key associated with the email address must be made available so that interested parties can, if they so wish, send encrypted messages).

7.1.5. Item 6.1.6 - Have implemented a Coordinated Vulnerability Disclosure process based on internationally recognized good practices and recommendations, such as references 2.6 to 2.8 of this document. 7.1.5.1. The supplier's Coordinated Vulnerability Disclosure Policy must be published on its website and must address, at a minimum, the following items: a) The supplier's objectives, its responsibilities, as well as what it expects from other interested parties. b) How you wish to be notified (e.g. email, web form) and your contact details (e.g. email address, web form URL). c) Details of secure communication options (e.g.: PGP key for email, secure form via HTTPS). d) What information the notifier must include in the notification. e) What the notifier should expect after reporting a vulnerability, such as: acknowledgement of receipt of the notification, acknowledgement of the vulnerability, updates on the evolution of the case and their respective deadlines. f) Guidance on what is within and outside the scope of the notification process, its limitations, etc.

https://informacoes.anatel.gov.br/legislacao/component/content/article/160-atos…

Regulations on the Management of Security Vulnerabilities in Network Products

h1_admin — Mon, 29 Jul 2024 21:45:48 +0000

Regulations on the Management of Security Vulnerabilities in Network Products h1_admin Mon, 07/29/2024 - 16:45 Jurisdiction People's Republic of China Region Asia/Pacific Requirement Required Organization Ministry of Industry and Information Technology Provision Article 5, Article 6 Applies to Network product providers, network operators and network product security vulnerability collection platforms Date July 2021 Description Article 5: Network product providers, network operators and network product security vulnerability collection platforms shall establish and improve channels for receiving network product security vulnerability information and keep them open, and retain network product security vulnerability information receiving logs for no less than 6 months. Article 6: "Encourages relevant organizations and individuals to report security vulnerabilities in their products to network product providers" and "Encourage network product providers to establish a reward mechanism for security vulnerabilities in the network products they provide, and reward organizations or individuals who discover and report security vulnerabilities in the network products they provide." http://www.cac.gov.cn/2021-07/13/c_1627761607640342.htm

Cyber Security Law of the Republic of Lithuania No. XII-1428 Law amending Articles 1, 2, 6, 8, 9, 13, the title of Chapter V, the appendix and supplementing the Law with Article 17 and Chapter VI

h1_admin — Mon, 29 Jul 2024 20:45:03 +0000

Cyber Security Law of the Republic of Lithuania No. XII-1428 Law amending Articles 1, 2, 6, 8, 9, 13, the title of Chapter V, the appendix and supplementing the Law with Article 17 and Chapter VI h1_admin Mon, 07/29/2024 - 15:45 Jurisdiction Lithuania Region Europe Requirement Required Organization Ministry of National Defense Provision Article 8 (Adding Article 17) Applies to Reporters of Vulnerabilities Date June 2021 Description Provides a definition for what constitutes the legitimate disclosure of a vulnerability by a private person; it also determines the following restrictions: 1. The operation, functionality, services and data availability or integrity of the communication and information system may not be disrupted or altered. 2. When a vulnerability is identified, the search activity is terminated. 3. Within 24 hours of the start of the search activity, information on search results must be submitted to the NCSC under the Ministry of National Defence or CSE. 4. It is not unnecessarily sought to validate, monitor, record, intercept, acquire, store, disclose, copy, modify, corrupt, delete, destroy data managed by a cybersecurity entity. 5. No attempts are made to guess passwords. Passwords obtained illegally are not used and employees of the CSE or other persons who have the right to use non-public information relevant to the search for loopholes are not exploited or manipulated in order to obtain the information. 6. Information about the detected vulnerability is shared only with the NCSC under the Ministry of National Defence or CSE and made public according to the amendment. https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/24366500d28511eb9787d6479a2b2829…

Law for a Digital Republic

h1_admin — Mon, 29 Jul 2024 20:17:17 +0000

Law for a Digital Republic h1_admin Mon, 07/29/2024 - 15:17 Jurisdiction France Region Europe Requirement Required Organization Congrès du Parlement Provision Article 47 Applies to ANSSI (French government agency) Date October 2016 Description Creates a safe harbor for vulnerability reporters if they are acting in good faith, and if they report it to ANSSI exclusively. https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000033202746/

M-23-16, update to memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices

h1_admin — Fri, 26 Jul 2024 21:04:20 +0000

M-23-16, update to memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices h1_admin Fri, 07/26/2024 - 16:04 Jurisdiction United States Region North America Requirement Required Organization OMB Provision Section 4.b of the Self-Attestation Common Form Applies to Software producers that serve the Federal government Date June 9, 2023 Description Requires software producers attest that they have a policy or process to address discovered security vulnerabilities prior to product release. https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-16-Update-to-M-22-18…

IoT Cybersecurity Improvement Act 2020

h1_admin — Fri, 26 Jul 2024 20:33:59 +0000

IoT Cybersecurity Improvement Act 2020 h1_admin Fri, 07/26/2024 - 15:33 Jurisdiction United States Region North America Requirement Required Organization Congress / NIST Provision Sec. 5, Sec. 6, Sec. 7 Applies to Federal agencies and contractors providing IoT devices to the Federal government Date December 2020 Description Section 5: (Guidelines on the Disclosure Process for Security Vulnerabilities Relating to Information Systems, Including IOT Devices) NIST must create guidelines "(1) for the reporting, coordinating, publishing, and receiving of information about—(A) a security vulnerability relating to information systems owned or controlled by an agency (including Internetof Things devices owned or controlled by an agency); and B) the resolution of such security vulnerability; and (2) for a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing such information system to such contractor, on—(A) receiving information about a potential security vulnerability relating to the information system; and (B) disseminating information about the resolution of a security vulnerability relating to the information system." Section 6: (Implementation of Coordinated Disclosure of Security Vulnerabilities Relating to Agency Information Systems, Including IOT Devices) Federal agencies—in collaboration with OMB—must develop "policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems". These programs should be consistnet with NIST guidelines and standards. Moreover, "the Federal Acquisition Regulation shall be revised as necessary to implement the provisions under this section." Section 7: (Contractor Compliance With Coordinated Disclosure of Security Vulnerabilities Relating to Agency IOT Devices) The head of a federal agency is prohibited from "procuring or obtaining, renewing a contract to procure or obtain, or using an Internet of Things device" if the Chief Informatoin Officer determines that doing so would prevent compliance with the guidelines published under section 5. https://www.congress.gov/116/plaws/publ207/PLAW-116publ207.pdf

OMB Memo 20-32

h1_admin — Fri, 26 Jul 2024 20:02:08 +0000

OMB Memo 20-32 h1_admin Fri, 07/26/2024 - 15:02 Jurisdiction United States Region North America Requirement Required Organization OMB Provision Sections I, II, & III Applies to Federal agencies Date September 2020 Description

Section I: Clearly Worded VDP: Agency VDPs shall clearly articulate which systems are in scope and the set of security research activities that can be performed against them to protect those who would report vulnerabilities. Federal agencies shall provide clear assurances that good-faith security research is welcomed and authorized.

Clearly Identified Reporting Mechanism: Each Federal agency shall clearly and publicly identify where and how Federal information system vulnerabilities should be reported.

Timely Feedback: Federal agencies shall provide timely feedback to good-faith vulnerability reporters. Once a vulnerability is reported, those who report them deserve to know they are being taken seriously and that action is being taken. Agencies should establish clear expectations for regular follow-up communications with the vulnerability reporter, to include an agency-defined timeline for coordinated disclosure.

Good-Faith Security Research is Not an Incident or Breach: Good-faith security research does not itself constitute an incident or breach under the Federal Information Security Modernization Act of 2014 (FISMA) or OMB Memorandum M-17-12.

Section II: CISA must publish impelementaiton guidance describing the actions agencies should take to incorporate VDPs into their larger information security programs.

Section III: Each federal agency must develop and implement a VDP.

https://www.whitehouse.gov/wp-content/uploads/2020/09/M-20-32.pdf

CISA Binding Operational Directive 20-01

h1_admin — Fri, 26 Jul 2024 19:59:57 +0000

CISA Binding Operational Directive 20-01 h1_admin Fri, 07/26/2024 - 14:59 Jurisdiction United States Region North America Requirement Required Organization CISA Provision N/A Applies to Federal agencies Date September 2020 Description Enable Receipt of Unsolicited Reports: Agencies must ensure that they have a designated security contact for their .gov domains and that their email is regularly monitored. Develop and Publish a Vulnerability Disclosure Policy: VDP must include which systems are in scope; the types of testing that are allowed; a description of how to submit vulnerability reports; a commitment to not recommend or pursue legal action; a statement that sets expections for the reporter and pledges the agency will be as transparent as possible about remediation; and an issuance date. A VDP must not require the submission of PII; limit testing soley to vetted registered parties or US citizens; Attempt to restrict the reporter’s ability to disclose discovered vulnerabilities to others; submit disclosed vulnerabilities to the Vulnerabilities Equities Process or any similar process. Vulnerability Disclosure Handling Procedures: VDPs must "Describe how: Vulnerability reports will be tracked to resolution; Remediation activities will be coordinated internally; Disclosed vulnerabilities will be evaluated for potential impact17 and prioritized for action; Reports for systems and services that are out of scope will be handled; Communication with the reporter and other stakeholders (e.g., service providers, CISA) will occur; Any current or past impact of the reported vulnerabilities (not including impact from those who complied with the agency VDP) will be assessed and treated as an incident/breach, as applicable. Set target timelines for and track: Acknowledgement to the reporter (where known) that their report was received; Initial assessment (i.e., determining whether disclosed vulnerabilities are valid, including impact evaluation); Resolution of vulnerabilities, including notification of the outcome to the reporter." Reporting Requirements and Metrics: After the VDP is created, federal agencies must report valid/credible reports of newly discovered vulnerabilities on agency systems that could affect other parties in government or industry. CISA Actions: "CISA will monitor agency compliance to this directive and may take actions for non-compliance" and "will review agencies' initial implementation plan that reflects timelines and milestones for their VDP" to cover systems required under OMB's M-20-30. https://www.cisa.gov/news-events/directives/bod-20-01-develop-and-publish-vulne…

Cyber Resilience Act (CRA)

h1_admin — Fri, 26 Jul 2024 17:41:19 +0000

Cyber Resilience Act (CRA) h1_admin Fri, 07/26/2024 - 12:41 Jurisdiction European Union Region Europe Requirement Required Organization European Union Provision Annex 1 Sec. 2(5) Applies to Manufacturers of software and digitally-enabled devices in the EU Single Market Date December 10, 2024 Description

Requires manufacturers to put in place and enforce a policy on coordinated vulnerability disclosure.

Establish a coordinated vulnerability disclosure policy (CVD).

Full compliance deadline: December 10, 2027

Early reporting obligations: Some provisions, like vulnerability reporting, may apply earlier, starting 21 months after the CRA enters into force

https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html#title2