The Department of Defense Cyber Crime Center partnered with George Mason University to help address challenges in the full-scale launch of its Vulnerability Disclosure Program.

The collaboration was made possible through the National Security Innovation Network Capstone program, which is comprised of entrepreneurs and student technologists with innovations that are potentially beneficial to the DOD, the defense agency said Tuesday.

VDP began in 2016 as a pilot program with the Defense Industrial Base and was was designed to cast a wider net of protection for the DOD Information Network. Although the pilot proved successful, it faced scalability obstacles such as a larger workforce to meet higher demand for services.

A team from George Mason University Information Systems and Operations Management analyzed the lessons learned from the program and made recommendations to help resolve its labor-intensive challenges. Among the suggested solutions was the creation of a cloud-based portal to support DIB companies going through the VDP onboarding phase.

After eight weeks, the recommendations led to a 50-hour reduction in labor hours spent on the program, as well as a decline in onboarding processing time from eight hours to one hour per company. VDP expanded its DIB companies from 50 to 1,000 for the same operational budget.

The General Services Administration has released a request for information on vendors that could provide post-quantum cryptography products and services.

GSA has asked several questions regarding PQC-related tools and services that companies offer and risks and impacts to organizations’ information technology systems as they support federal, state, local and tribal entities, according to a notice published Tuesday.

The agency wants information on the changes and updates made by companies to address an Office of Management and Budget memorandum regarding the migration to PQC.

Interested stakeholders can also share the additions and changes they have implemented to comply with a 2021 cybersecurity executive order and national security memos issued in 2022 in relation to PQC.

Responses to the RFI are due July 11.

Shalanda Young, director of the Office of Management Budget, and Kemba Walden, acting national cyber director, have sent a memo to department and agency heads outlining the Biden administration’s cybersecurity priorities for the fiscal year 2025 budget.

According to the document, budget submissions must be consistent with the five pillars of the National Cybersecurity Strategy, which are to protect the nation’s critical infrastructure, combat cybercrime, shape market forces to drive security and resilience, invest in a resilient future and build coalitions with international allies and partners.

To defend the critical infrastructure sector, agencies must prioritize investments that lead to the development of long-term technologies that are “secure by design,” the memo said.

Agency investments must achieve progress in zero trust deployments and meet the goals of the Federal Zero Trust Strategy.

The guidance also directs agencies to prioritize technology modernization efforts to ensure that government systems meet standards for security and customer experience requirements.

OMB will work with the Office of the National Cyber Director to review agency submissions to determine whether they adequately address the priorities and are consistent with overall cybersecurity strategy and policy.

The Cybersecurity and Infrastructure Security Agency has published the Extensible Visibility Reference Framework Guidebook to help public and private organizations strengthen the defenses of their cloud-based services.

CISA on Tuesday also released a Technical Reference Architecture document as part of its Secure Cloud Business Applications project.

The agency requested public comment in 2022 on SCuBA, a program that aims to guide federal agencies in protecting data in their cloud business application environments, as well as the platforms themselves. The feedback CISA received is incorporated in the new guide materials.

The eVRF Guidebook is intended to help organizations navigate the EVR Framework for identifying products and services that provide visibility data. It is also expected to help pinpoint process gaps and minimize threats.

The TRA document, on the other hand, is meant to help entities make sound decisions in adopting cloud services, zero trust architecture and other related technologies and strategies.

“These resources will help organizations address cybersecurity and visibility gaps that have long hampered our collective ability to adequately understand and manage cyber risk,” said Eric Goldstein, CISA’s executive assistant for cybersecurity.