Implements the requirements listed in the IoT Cybersecurity Improvement Act of 2020 with guidelines:  (1) for the reporting, coordinating, publishing, and receiving information about a security vulnerability relating to information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency); and the resolution of such security vulnerability; and (2) for a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing such information system to such contractor, on— receiving information about a potential security vulnerability relating to the information system; and disseminating information about the resolution of a security vulnerability relating to the information system."  The Guidelines are aligned with ISO/IEC 29147 and 30111: "The document defines the Federal Coordination Board (FCB) as the primary interface for vulnerability disclosure reporting and oversight. It also defines Vulnerability Disclosure Program Offices (VDPOs) that are usually part of the Information Technology Security Offices (ITSOs). The FCB and VDPOs work together to address vulnerability disclosure in the Federal Government."

Section 5: (Guidelines on the Disclosure Process for Security Vulnerabilities Relating to Information Systems, Including IOT Devices) NIST must create guidelines "(1) for the reporting, coordinating, publishing, and receiving of information about—(A) a security vulnerability relating to information systems owned or controlled by an agency (including Internetof Things devices owned or controlled by an agency); and B) the resolution of such security vulnerability; and (2) for a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing such information system to such contractor, on—(A) receiving information about a potential security vulnerability relating to the information system; and (B) disseminating information about the resolution of a security vulnerability relating to the information system."  Section 6: (Implementation of Coordinated Disclosure of Security Vulnerabilities Relating to Agency Information Systems, Including IOT Devices) Federal agencies—in collaboration with OMB—must develop "policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems". These programs should be consistnet with NIST guidelines and standards. Moreover, "the Federal Acquisition Regulation shall be revised as necessary to implement the provisions under this section."  Section 7: (Contractor Compliance With Coordinated Disclosure of Security Vulnerabilities Relating to Agency IOT Devices) The head of a federal agency is prohibited from "procuring or obtaining, renewing a contract to procure or obtain, or using an Internet of Things device" if the Chief Informatoin Officer determines that doing so would prevent compliance with the guidelines published under section 5. 

Throughout the development lifecycle, the IoT product developer creates or gathers and stores information relevant to the cybersecurity of the IoT product and its product components. With regards to the vulnerability management policies and processes associated with the IoT product, the IoT product developer should a have the following: i. Methods of receiving reports of vulnerabilitiesii. Processes for recording reported vulnerabilitiesiii. Policy for responding to reported vulnerabilities, including the process of coordinating vulernability response activities among component suppliers and third-party vendorsiv. Policy for disclosing reported vulnerabilitiesv. Processes for receiving notification from component suppliers and third-party vendors about any change in the status of their supplied components, such as end of production, end of support, deprecated status (e.g., the product is no longer recommended for use), or known insecurities.

RA-5: (Vulnerability Monitoring and Scanning) Subsection F states "employ vulnerability monitoring tools that include the capability to readily udpate the vulnerabilities to be scanned." In the discussion of the control, NIST states "vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation."  SR-8: (Notification Agreements) states to "establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Selection (one or more): notification of supply chain compromises; results of assessments or audits; [Assignment: organization-defined information]]."

Enable Receipt of Unsolicited Reports: Agencies must ensure that they have a designated security contact for their .gov domains and that their email is regularly monitored.  Develop and Publish a Vulnerability Disclosure Policy: VDP must include which systems are in scope; the types of testing that are allowed; a description of how to submit vulnerability reports; a commitment to not recommend or pursue legal action; a statement that sets expections for the reporter and pledges the agency will be as transparent as possible about remediation; and an issuance date. A VDP must not require the submission of PII; limit testing soley to vetted registered parties or US citizens; Attempt to restrict the reporter’s ability to disclose discovered vulnerabilities to others; submit disclosed vulnerabilities to the Vulnerabilities Equities Process or any similar process.  Vulnerability Disclosure Handling Procedures: VDPs must "Describe how: Vulnerability reports will be tracked to resolution; Remediation activities will be coordinated internally; Disclosed vulnerabilities will be evaluated for potential impact17 and prioritized for action; Reports for systems and services that are out of scope will be handled; Communication with the reporter and other stakeholders (e.g., service providers, CISA) will occur; Any current or past impact of the reported vulnerabilities (not including impact from those who complied with the agency VDP) will be assessed and treated as an incident/breach, as applicable. Set target timelines for and track: Acknowledgement to the reporter (where known) that their report was received; Initial assessment (i.e., determining whether disclosed vulnerabilities are valid, including impact evaluation); Resolution of vulnerabilities, including notification of the outcome to the reporter." Reporting Requirements and Metrics: After the VDP is created, federal agencies must report valid/credible reports of newly discovered vulnerabilities on agency systems that could affect other parties in government or industry. CISA Actions: "CISA will monitor agency compliance to this directive and may take actions for non-compliance" and "will review agencies' initial implementation plan that reflects timelines and milestones for their VDP" to cover systems required under OMB's M-20-30.

The head of each federal agency must develop and make publicly available a vulnerability disclosure policy for their agency - clearly defining a scope and directions for how to submit informaiton. The head of each agency should coordinate with the Director of CISA in creating the policy. Agencies should not puruse legal action against submitters that made a "good faith effort" to idenitify a vulnerability and report it. The legislation does not apply to national security systems. 

"To further incentivize the adoption of secure software development practices, the Administration will encourage coordinated vulnerability disclosure across all technology types and sectors."

Requires NIST to issue guidance identifying practices that enhance security of the software supply chain. In the guidance NIST must include standards, procedures, or criteria related to, among other issues, "participating in a vulnerability disclosure program that includes a reporting and disclosure process."