U.S. flag   An official website of the United States government

Vulnerability Disclosure Guidance

Project Overview

As part of the Internet of Things Cybersecurity Improvement Act of 2020, Public Law 116-207, NIST has been tasked with creating guidelines for reporting, coordinating, publishing, and receiving​ information about security vulnerabilities​, aligning with ISO/IEC 29147 and 30111 whenever practical. The guidelines incorporate:

  • Receiving information about a potential security vulnerability relating to an information system owned or controlled by an agency (including an Internet of Things device)
  • Disseminating information about the resolution of a security vulnerability relating to an information system owned or controlled by an agency (including an Internet of Things device)

The guidelines currently follow the ISO documents as shown in the figure below.

Chart displaying how ISO/IEC 29147 and ISO/IEC 30111 work together to form the basis of addressing vulnerability disclosures.

Guidelines are to be published by June 2, 2021. NIST will work with other government agencies -including OMB, DoD and DHS -in order to support a government wide process of accepting, confirming, analyzing, solving, and deploying vulnerability disclosures. NIST will update this project page to reflect ongoing and future work in order to address and promote a unified solution.

Please send comments to NIST-Federal-Vulnerability-Disclosure-Guidance-Feedback@nist.gov

Created February 04, 2021, Updated February 18, 2021