Requires NIST to issue guidance identifying practices that enhance security of the software supply chain. In the guidance NIST must include standards, procedures, or criteria related to, among other issues, "participating in a vulnerability disclosure program that includes a reporting and disclosure process."