As part of the Internet of Things Cybersecurity Improvement Act of 2020, Public Law 116-207, NIST has been tasked with creating guidelines for reporting, coordinating, publishing, and receiving information about security vulnerabilities, aligning with ISO/IEC 29147 and 30111 whenever practical. The guidelines incorporate:
The guidelines currently follow the ISO documents as shown in the figure below.
Guidelines are to be published by June 2, 2021. NIST will work with other government agencies -including OMB, DoD and DHS -in order to support a government wide process of accepting, confirming, analyzing, solving, and deploying vulnerability disclosures. NIST will update this project page to reflect ongoing and future work in order to address and promote a unified solution.
Please send comments to NIST-Federal-Vulnerability-Disclosure-Guidance-Feedback@nist.gov