Skip to content
Gambling-trendsFootballMlbnba

New US defense bill sparks debate over unrealistic software vulnerability rules

A controversial clause in the 2023 defense bill could upend cybersecurity practices. Experts say its rigid rules ignore real-world risks and operational limits.

 and  Administrator
2 min read
The image shows a white background with the text "National Compliance & Risk Qualifications"...
The image shows a white background with the text "National Compliance & Risk Qualifications" written in bold black font. The text is centered in the middle of the image and is surrounded by a thin black border. The font is modern and professional, conveying a sense of trustworthiness and reliability.

New US defense bill sparks debate over unrealistic software vulnerability rules

On August 17, the US House of Representatives passed H.R. 7900 - National Defense Authorization Act for Fiscal Year 2023, and section 6722 could have serious impacts on the information security industry and beyond.

Section 6722 (e) - Certification and Notifications

According to subsections (e) (1), a contracting authority within the Department of Homeland Security (DHS) must provide a certification stating that all SBOM components are free from any vulnerability or defect found in NVD, or any database maintained by the Cybersecurity and Infrastructure Security Agency (CISA)-including the Known Exploited Vulnerabilities (KEV) Catalog.

The Problems with H.R. 7900

Organizations looking to comply with H.R. 7900 will likely struggle with two main pain points-H.R. 7900's poor language and the quality of publicly available data.

1. Poor Language

Despite good intentions, legislation requiring organizations to address every vulnerability is problematic for many reasons. First and foremost, it favors a top-down or patch-all mindset, which has produced little improvements to security over the past decade. Trying to fix every vulnerability requires significant resources, and there are simply too many to address in a timely manner.

2. Built around CVE / NVD Data

The primary concern however is that Section 6722 is based on NIST's National Vulnerability Database. NVD's entries are dependent on a CVE ID, and therefore, if a CVE ID has not been assigned, it will not exist in NVD.

How H.R. 7900 Could affect You

In the end, the inherent problems found in H.R. 7900 and CVE / NVD will result in increased workloads, stress, and likely less software sold.

H.R. 7900's Potential Impact on the Security Community

With all of this into consideration, H.R. 7900 could have lasting impacts on the vulnerability disclosure landscape and the security industry as a whole. The language in this bill shows that lawmakers consider vulnerability totals to be an indicator of security and this is not true.

Identify and Remediate Vulnerabilities with our website

H.R. 7900 has the potential to be problematic and its enforcement is unclear. However, for organizations being forced to, or are looking to be compliant, they will need comprehensive and detailed vulnerability intelligence.

Read also:

Related

Latest