Vulnerability Disclosure Guidance

NIST has been tasked with creating guidelines for reporting, coordinating, publishing, and receiving​ information about security vulnerabilities​, as part of the Internet of Things Cybersecurity Improvement Act of 2020, Public Law 116-207, and in alignment with ISO/IEC 29147 and 30111 whenever practical. 

The guidelines address:

• Establishing a federal vulnerability disclosure framework, including the Federal Coordination Body (FCB) and Vulnerability Disclosure Program Offices (VDPOs) 
• Receiving information about a potential security vulnerability in an information system owned or controlled by a government agency (including an Internet of Things device)
• Disseminating information about the resolution of a security vulnerability relating to an information system owned or controlled by an agency (including an Internet of Things device)

Draft Special Publication (SP) 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines, is available for comment, and a link is provided under Publications on this page. SP 800-216 recommends guidance for establishing a federal vulnerability disclosure framework and highlights the importance of properly handling vulnerability reports and ensuring clear communications to minimize or eliminate vulnerabilities. The framework allows for local resolution support while providing federal oversight and should be applied to all software, hardware, and digital services under federal control.

NIST will continue to work with other government agencies – including OMB, DoD and DHS – in order to support a government-wide process of accepting, confirming, analyzing, solving, and deploying vulnerability disclosures. 

Please send comments to NIST-Federal-Vulnerability-Disclosure-Guidance-Feedback@nist.gov