March 17, 2018

March 16, 2018

Subscribe to Latest Legal News and Analysis

March 15, 2018

Subscribe to Latest Legal News and Analysis

White House Releases Vulnerability Equities Policy and Processes

The White House released on November 15, 2017 the Vulnerabilities Equities Policy and Process for the United States Government (“VEP”) — the process by which the Government determines whether to disseminate or restrict information about new, nonpublic vulnerabilities that it discovers.  This release was motivated by criticism following the allegations that significant cyber-attacks have exploited vulnerabilities withheld by the Government, concerns that the Government is exploiting vulnerabilities instead of alerting vendors to fix them, and general calls for transparency in the process.

According to the newly-released documents, the VEP is overseen by an Executive Secretariat (a role filled by the National Security Agency) and the final decision about whether to disseminate or restrict vulnerability information is made by an interagency Equities Review Board (“ERB”).  The VEP is initiated when an agency submits a newly discovered and not publicly known vulnerability and provides its recommendation on whether to disseminate or restrict the information.  Any other agencies claiming an equity in the vulnerability must concur or disagree with the recommendation.  The ERB considers the opinions, renders a final decision, and the vulnerability is either disseminated or restricted.

The ERB’s determinations are based on the balancing of four groups of equities: (1) defensive; (2) intelligence, law enforcement, and operational; (3) commercial; and (4) international partnership.  Specific considerations include: whether and how threat actors will exploit the vulnerability, the potential harm caused by exploitation, the likelihood of effective mitigation, whether the vulnerability can be exploited to serve an intelligence or law enforcement purpose, and risks to the Government’s relationship with industry and international relations.

© 2018 Covington & Burling LLP


About this Author

David N. Fagan, Attorney, International, Covington Law Firm

David Fagan’s practice covers national security law, international trade and investment, cybersecurity, and global privacy and data security.  Mr. Fagan has represented clients before federal and state government agencies and Congress in connection with a range of issues, including regulatory approvals of international investments, national security-related criminal investigations, high-profile congressional investigations, cybersecurity matters, and federal and state regulatory and enforcement actions in the data security area. 

Catlin M. Meade, Government Contracts Attorney, Covington & Burling Law Firm

Catlin Meade is an associate in the firm’s Washington, DC office.  

Ms. Meade is a member of the Maryland Bar. She is currently not admitted in the District of Columbia, but is supervised by principals of the firm.

Representative Matters

  • Advised Fortune 100 financial services corporation on all aspects of federal novation and various state procurement restrictions on the transfer of assets in connection with the company's global reorganization of various business units.

  • Represented top ten defense contractor in connection with an internal False Claims Act investigation.

  • Represented defense contractor in connection with an internal investigation regarding allegations of improper use of government funds for prohibited lobbying activities.

  • Key member of team that successfully represented commercial services contractor in a post-award agency protest convincing agency to reopen procurement and allow opportunity for new proposal submissions.

  • Key member of team that successfully represented protestor at GAO, obtaining new opportunity for client to participate in the procurement.