Most US federal agencies lack a formal mechanism to receive information from third-parties about potential security vulnerabilities. Many agencies have no defined strategy for triaging reports about flaws reported by outside parties. Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith will not be subject to legal action by the government.
These circumstances create an environment that discourages people from reporting potential information security problems to the government, which delays or prevents the discovery, prioritization, and remediation of these issues.
Representatives from the Office of the Federal CIO and the Cyber & Infrastructure Security Agency will talk about potential approaches and solicit feedback on addressing these concerns in the enterprise of enterprises that is the US Government.