NIST SP 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines

Implements the requirements listed in the IoT Cybersecurity Improvement Act of 2020 with guidelines:  (1) for the reporting, coordinating, publishing, and receiving information about a security vulnerability relating to information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency); and the resolution of such security vulnerability; and (2) for a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing such information system to such contractor, on— receiving information about a potential security vulnerability relating to the information system; and disseminating information about the resolution of a security vulnerability relating to the information system."  The Guidelines are aligned with ISO/IEC 29147 and 30111: "The document defines the Federal Coordination Board (FCB) as the primary interface for vulnerability disclosure reporting and oversight. It also defines Vulnerability Disclosure Program Offices (VDPOs) that are usually part of the Information Technology Security Offices (ITSOs). The FCB and VDPOs work together to address vulnerability disclosure in the Federal Government."