Software Engineering Institute

This presentation was given at FloCon 2023, an annual conference that focuses on applying any and all collected data to defend enterprise networks.

Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) pilot's problem statement was clearly defined: Can the Defense Industrial Base (DIB) receive the same defense-in-depth protection as the DoD VDP provides to the Joint Forces Headquarters DoD Information Network (JFHQ-DODIN) and U.S. Cyber Command (USCC)?

The working thesis used to answer this question led DC3’s DoD Defense Industrial Base Collaborative Information Sharing Environment (DCISE), DoD Vulnerability Disclosure Program (DoD VDP), and the Defense Counterintelligence and Security Agency (DCSA) to collaboratively establish a one-year voluntary (DIB-VDP) Pilot. The objective was to provide situational awareness of the lessons learned by the DoD VDP to DIB small and medium-sized companies by leveraging crowdsourced ethical hackers. The pilot was launched based on the strong recommendation from the Carnegie Mellon University Software Engineering Institute (SEI) DIB-VDP Feasibility Study and ultimately was so successful it attracted more than double the intended voluntary DIB company participants!

However, success alone does not turn a pilot into a funded program.

Now begins the work of analyzing the data collected, constructing a compelling after-action report (AAR), and issuing a paper to present for USG funding. Additionally, the DIB vulnerability disclosure program would need to scale from less than 100 participants to nearly 300,000 DIB-cleared and non-cleared companies. This requires innovative artificial intelligence and machine learning solutions for securely onboarding participants and documenting their organization's in-scope assets to be researched while protecting their vulnerability data and remediation. This is where the participants of FloCon 2023 can apply their practical knowledge to this project. It requires innovative suggestions from data scientists, workflow modelers, and behavioral analysts.

The presentation provides significant outcomes that affect the nation's Defense Industrial Base (DIB) that stand to impact supply chain risk management, critical infrastructure, and the top vulnerabilities identified in the DIB-VDP pilot as they map to MITRE's ATT&K framework's CWEs and CVEs.