October 23, 2018

October 22, 2018

Subscribe to Latest Legal News and Analysis

White House Releases Vulnerability Equities Policy and Processes

The White House released on November 15, 2017 the Vulnerabilities Equities Policy and Process for the United States Government (“VEP”) — the process by which the Government determines whether to disseminate or restrict information about new, nonpublic vulnerabilities that it discovers.  This release was motivated by criticism following the allegations that significant cyber-attacks have exploited vulnerabilities withheld by the Government, concerns that the Government is exploiting vulnerabilities instead of alerting vendors to fix them, and general calls for transparency in the process.

According to the newly-released documents, the VEP is overseen by an Executive Secretariat (a role filled by the National Security Agency) and the final decision about whether to disseminate or restrict vulnerability information is made by an interagency Equities Review Board (“ERB”).  The VEP is initiated when an agency submits a newly discovered and not publicly known vulnerability and provides its recommendation on whether to disseminate or restrict the information.  Any other agencies claiming an equity in the vulnerability must concur or disagree with the recommendation.  The ERB considers the opinions, renders a final decision, and the vulnerability is either disseminated or restricted.

The ERB’s determinations are based on the balancing of four groups of equities: (1) defensive; (2) intelligence, law enforcement, and operational; (3) commercial; and (4) international partnership.  Specific considerations include: whether and how threat actors will exploit the vulnerability, the potential harm caused by exploitation, the likelihood of effective mitigation, whether the vulnerability can be exploited to serve an intelligence or law enforcement purpose, and risks to the Government’s relationship with industry and international relations.

© 2018 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

David Fagan, Data privacy attorney, Covington
Partner

David Fagan co-chairs the firm’s top ranked practice on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and also leads the firm’s cyber and data security incident response practice. Mr. Fagan is rated by Chambers USA and Chambers Global for his leading expertise in CFIUS matters and privacy and data security, and was named as a ...

202-662-5291
Catlin Meade, Cybersecurity lawyer, Covington
Associate

Catlin Meade advises clients across a broad range of cybersecurity and government contracts matters, including government and internal investigations, compliance with cybersecurity and data breach regulations, and SAFETY Act applications.

Representative Matters

  • Counsel to multiple companies in responding to data and cybersecurity incidents.
  • Advised a leading defense contractor on a multi-million-dollar prime-subcontractor dispute in connection with a NATO contract.
  • Key member of team that successfully represented a large government contractor in proceedings before a military department Suspending and Debarring Official, resulting in a determination of present responsibility.
  • Advised Fortune 100 financial services corporation on all aspects of federal contracting, including legal review of solicitations, contract administration, and novation of existing contracts in connection with the company's global reorganization of various business units.
  • Represented three large sports stadiums during their successful efforts to obtain SAFETY Act protection for their respective security programs.
  • Advised top software company on compliance with newly-promulgated cybersecurity regulations.
202-662-5889