[20-01] Agency expectations, budget, and performance #109
Description
I see three major issues, however I do not have constructive recommendations. Still, I will share my thoughts and experiences.
I think there will need to be verbiage that acknowledges and offers support for the agencies that utilize or rely on external (or internal) services by other agencies, such as the Department of Homeland Security or other agencies that offer security services. There's expectations that those agencies may have the budget to support improving their cybersecurity posture, or have the ability to acquire additional funding.
Additionally, establishing a Vulnerability Disclosure Policy (and later program) can negatively impact the individuals or teams responsible for cybersecurity. As we know, the oversight on cybersecurity programs comes under great scrutiny when expectations are not met and is used as performance reviews that determine whether or not the individual or team's efforts are unsatisfactory or not meeting needs.
Both a pro and a con, a VDP can and will identify that the Systems Development Lifecycle (dev, test, QA, etc) process has deficiencies where identifying and remediating security vulnerabilities should be discovered yet are lacking in the ability to do so, allowing the need for recruiting external support via VDP.
So while requiring a VDP is a good approach it will not solve fundamental, underlying issues each agency faces and instead press for more stress on cybersecurity teams and negatively impacting culture.