Update the Vulnerability Disclosure Policy (VDP) to include all internet-accessible systems. Once OIT has updated the VDP, the SEC should immediately report to the Cybersecurity and Infrastructure Security Agency (CISA) regarding:a. Any valid or credible reports of newly discovered or not publicly known vulnerabilities (including misconfigurations) on SEC systems that use commercial software or services that affect or are likely to affect other parties in government or industry.b. Vulnerability disclosure, coordination, or remediation activities that the SEC believes CISA can assist with or should be aware of, particularly as they relate to outside organizations.c. Any other situation in which the SEC deems it helpful or necessary
Questioned Costs
$0
Funds for Better Use
$0
Recommendation Status
Open
Source UUID
5636d78b-756b-42e2-b405-ecf3a47b2ba10|5636d78b-756b-42e2-b405-ecf3a47b2ba11|5636d78b-756b-42e2-b405-ecf3a47b2ba12|5636d78b-756b-42e2-b405-ecf3a47b2ba13|5636d78b-756b-42e2-b405-ecf3a47b2ba9-2
Recommendation Number
2
Significant Recommendation
Yes