A. Launch Vulnerability Disclosure Platform: Contractor shall implement and operate a Vulnerability Disclosure Program on behalf of USAC in support of monitoring, identifying, and defending against vulnerabilities detected on enterprise systems. The platform is to be structured based on the Cybersecurity Framework set forth by NIST SP 800-53 Revision 5 and will be flexible enough for customizations requested by USAC while adhering to recommendations set forth by the FCC. The platform will include report validation (triage), duplicate-detection, and an ISO 3011 compliance vulnerability handling workflow. Contractor will include a dedicated customer success team to support the following platform operations: 1. Conduct Platform Kickoff The Contractor will conduct Vulnerability Disclosure Platform kickoff meeting with USAC stakeholders outlining the program launch, identifying key internal and external stakeholders, assigning platform training to key personnel, configuring enterprise workflows, and eliciting leadership approval of project scope. During this meeting, USAC will determine which vulnerability intake method(s) (as defined below) will be used to communicate vulnerabilities to the enterprise. 2. Enact Vulnerability Intake The Contractor will enact the preferred method(s) of communication with external researchers of vulnerability testing inquiries, as determined in the project kickoff, through one or more of the following channels: i) a public-facing “opportunities” page that allows researchers to submit vulnerabilities directly from the page; ii) an embedded submission form on USAC’s website that allows users to enter specific information related to vulnerabilities; or iii) email forwarding which allows researchers to send vulnerability details to a designated, secure e-mail address linked to USAC. 3. Perform Intake Validation The Contractor will gather and analyze incoming vulnerability reports from external researchers on behalf of USAC. Additionally, the Contractor will be responsible for communicating necessary follow-ups and sending additional inquiries needed to validate vulnerability intake. Throughout this process, USAC will have access to intake validation reports and be able to view the active and closed validation workflows. 4. Communicate Validation Results The Contractor will then publish and send fully validated, triaged reports to USAC detailing all phases of the vulnerability intake workflow. The validation reports will be summarized in a consistent, uniform structure to ensure consistency for the enterprise when reviewing the results of vulnerability intake.
