Vulnerability Disclosure Programs

Cybersecurity News Update: How VDPs are helping to protect agency websites, plus the GSA is phasing out a 50-year-old ID system

New Policy Can Protect Government Websites

In September of last year, a new cybersecurity policy was put in place that allowed agencies to use a VDP (Vulnerability Disclosure Program). The best way to describe a VDP is that it is a “911” for “.gov” websites. A recent instance accentuates the usefulness of these programs. On April 27th, an Australian-based group of cybersecurity experts called ‘Sakura Samurai’ found an exposed workstation in the State Department’s web environment. The workstation was running an outdated version of ‘eXide’ software and also hosting an open-sourced development environment that could be accessed by hackers. Because of the old software, it essentially acted as an unlocked backdoor for hackers. They’d have access to State Department user files, including password files.

Known as “white hat” or “ethical” hacking, groups such as Sakura Samurai alert companies and governments when they discover such vulnerabilities. The fastest way for them to communicate what they discover is through a VDP, should the owner of the webspace have one set-up. Because the State Department did have a VDP, they were able to confirm the threat and shut down the system just two days after it was discovered on the other side of the world.

GSA Replacing DUNS with UEIs

The Data Universal Number System (DUNS) was created by Dun & Bradstreet in 1962 and the Federal Government began using it in 1998. Since then, every organization that is not a federal agency, but does business with the federal government, has needed a DUNS number. This includes a variety of organizations: contractors, grantees, universities, research centers, charities, and several more. The General Services Administration (GSA) has been transitioning away from DUNS and on April 4th, 2022, the GSA systems will no longer recognize DUNS numbers. The expiration date was originally planned for December 2020.


 


In 2018, GSA opened up bidding for a contract to modernize the system, and a year later, Ernst & Young was awarded a contract to administer the new ID system, plus handle the transition from DUNS. Instead of a DUNS ID number, organizations doing business with the US Government will need a unique entity ID (UEI). For contractors and grantees who already use the System for Award Management (SAM.gov), a UEI has likely already been automatically assigned. For organizations, such as “sub-awardees” who haven’t yet been required to use SAM.gov will be able to register for a UEI on SAM.gov starting in October.

-

Until Next Time,

Benefits Ben, STWS

The information has been obtained from sources considered reliable but we do not guarantee that the foregoing material is accurate or complete. Any opinions are those of Serving Those Who Serve writers  and not necessarily those of RJFS or Raymond James. Any information is not a complete summary or statement of all available data necessary for making an investment decision and does not constitute a recommendation. Investing involves risk and you may incur a profit or loss regardless of strategy suggested. Every investor’s situation is unique and you should consider your investment goals, risk tolerance, and time horizon before making any investment or financial decision. Prior to making an investment decision, please consult with your financial advisor about your individual situation. While we are familiar with the tax provisions of the issues presented herein, as Financial Advisors of RJFS, we are not qualified to render advice on tax or legal matters. You should discuss tax or legal matters with the appropriate professional. **

Vulnerability Disclosure Programs

Vulnerability Disclosure Programs