Vulnerability reporting service - Triage

Description

Summary of work This is required to transition the existing Vulnerability Reporting Service (VRS) from NCSC and stand up a BAU operation within the Government Security Group (GSG). The Cabinet Office is leading the development and operation of the Government Cyber Coordination Centre (GC3) as a key outcome of the ministerially agreed Government Cyber Security Strategy. The GC3 will coordinate incident response, enable threat intelligence sharing and support coordination across government departments. One of the key agreed operational requirements of the GC3 is to coordinate vulnerability disclosure across the government estate by establishing a central Vulnerability Reporting Service for government. The concept of a central Vulnerability Reporting Service has been piloted by the NCSC over the past 5 years, and this sets out how the new GC3 vulnerability reporting service should be set up to adopt, develop and enhance the pilot vulnerability reporting for government. The GCSS sets out the need for VRS as part of improving government resilience. It is critical that we're able to consume, triage and fix vulnerabilities across government in a coherent and timely manner. The GC3 is being developed to focus upon cross government data sharing and analysis of data to inform decision making. The VRS is a key component of providing GC3 with the data and processes to improve resilience to public facing services and systems across government, and establishment of the VRS was included as a key deliverable within the strategy. Failure to maintain a VRS for government organisations presents an unacceptable level of operational and reputational risk. If we do not offer the ability for external researchers to report vulnerabilities once identified, we risk these being exploited by malicious attackers (80% of vulnerabilities reported in 2022 were rated ‘critical’ or ‘high’ severity, meaning that the likelihood of exploitation and the impact once exploited would have been very significant). We also risk significant reputational damage if researchers choose to release their findings into the public domain. Where the supplied staff will work No specific location (for example they can work remotely) Why the work is being done To enable UK Government to adopt a single cross-government vulnerability reporting route, hosted centrally on GOV.UK, to deliver ministerial commitments agreed in the Government Cyber Security Strategy. To align with the Government Chief Security Officer’s (GCSO) ownership of security standards for government and mandate to reduce cyber risk across government. To enable use of Cabinet Office’s mandate, under the authority of the GCSO and COO for the Civil Service, to require departments to fix vulnerabilities and triage these appropriately To enable use of our GovAssure process to provide objective assurance that improvements have been delivered. To enable data collected to be efficiently shared and aligned to other data points to support wider vulnerability management, enabling assessment of cyber security maturity across government and directly supporting our assurance processes. To provide external researchers and experts with a clear reporting point for all cross-government responsibilities, increasing the likelihood of effective reporting and an efficient response. To provide a single coherent service across government, delivering financial efficiencies, value for money and enabling the sharing of expertise across government. By transitioning to GSG and providing this capability centrally,government will, for the first time, be able to holistically tackle cyber security vulnerabilities at scale and pace across the public sector. We intend to retain the current VRS KPI, based upon the number of reports reported and triaged to government departments within 1 week of disclosure, upon transition to Cabinet Office. The service will be managed within the GCCC programme management structure which reports into the GCSS programme management office. The business problem For VRS to succeed, it must provide a single point of contact for external security researchers and organisations to report vulnerabilities. It will require specialist technical skills to deliver the service, to ensure that each vulnerability is triaged appropriately, establish that reported severity and impact are realistic and accurate, and ensure correct prioritisation and escalation. The service will need the authority to assess the impact of specific vulnerabilities within department-owned services and also be supported by the authority to encourage and, in necessary, mandate departments to fix vulnerabilities. Data gathered will need to support building a single coherent data set of government vulnerabilities, to inform wider GCCC vulnerability operations. Reports must be reported and triaged to government departments within 1 week of disclosure. In 2022, the VRS received 989 valid reports and helped to remediate 440 vulnerabilities across 237 individual UK government organisations. The key performance indicators and metrics of the cross-government VRS are: ii. Continue to manage the x-gov VRS (Metric: Number of vulnerability reports received per month). iii. Manage down cross-government vulnerabilities. (Metric: Maintain at least 90% remediation rate of valid vulnerabilities). iv. Maintain a high level of finder and department interaction and satisfaction. (Metric: Maintain at least 70% of reports resolved within 30 days of reporting.) The people who will use the product or service User type: VRS Manager Definition: I need to be made aware of an identified vulnerability across the Government System. I need to be given a detailed report on the vulnerability within 1 week of it being identified by a Researcher. I need information such as the technical nature of the vulnerability and the severity of the vulnerability. I need to know this so that I am then able to direct the report and detail of the vulnerability to the correct team/party to review and resolve the vulnerability. User type: Service Manager Definition: As a Service Manager I need to quickly be quickly made aware of any found vulnerabilities so that I am able to take action to resolve them in order to ensure the security and safety of the service. Work done so far Current Triage service been in place since 2018. Which phase the project is in Not applicable Existing team Existing team of Cabinet Office staff is 2 VRS Analysts and 1 Vulnerability Lead. Address where the work will be done 70 Whitehall, London SW1A 2AS Working arrangements All work is able to be carried out remotely. Attendance on site is not required. As a minimum the service must cover the hours of 8.00 to 18.00 Monday to Friday. Security and vetting requirements Baseline Personnel Security Standard (BPSS) Security and vetting requirements Security Check (SC) More information about the Security requirements: All supplier team members delivering the Triage Service must each individually hold BPSS security clearance as a minimum. However, SC security clearance is preferred. If team members are based outside of the U.K. they must hold an equivalent, recognised level of security clearance. If the intention is to utilise staff based outside of the U.K. you (the supplier) must submit a clarification question to the authority during the bid process to detail and request if the proposed alternative security clearance will be accepted. Latest start date 1 April 2024 Expected contract length Contract length: 2 years 0 months 0 days Budget Indicative maximum: The contract value is not specified by the buyer Indicative minimum: The contract value is not specified by the buyer Contracted out service or supply of resource? Contracted out service: the off-payroll rules do not apply Terms and acronyms Term or acronym: VRS Definition: Vulnerability Reporting System