Outlines best practices for organizations to create their own CVD policy. It focuses on 5 broad areas: 1. Explaining the goal of a CVD 2. Defining the differing areas of responsibility for organizations and the party reporting a vulnerability 3. Proposing structures of a CVD within an organization, proposing terms for an individual, and proposing coordination with the NCSC 4. Clarifying the process for the communication of a vulnerability 5. Providing examples of existing CVDs