The Department of Commerce’s vulnerability disclosure program (VDP) is currently ineffective due to gaps in coverage and remediation efforts. An audit highlights the need to include all systems, improve processes, and automate communication to strengthen cybersecurity defenses. #CISA #VDP #CybersecurityAudits
Keypoints
- The Department’s VDP was established following CISA’s directive but is not fully effective.
- Only 80% of reported vulnerabilities were fully remediated, with many deadlines missed.
- The scope of the VDP excluded 22 department-owned sites, limiting its effectiveness.
- The management of the VDP restricts automated vulnerability scanning tools.
- The OIG recommends expanding coverage, updating procedures, and automating communication for better remediation.
Read More: https://thecyberexpress.com/vdp-oig-audit-cybersecurity/