Implements the requirements listed in the IoT Cybersecurity Improvement Act of 2020 with guidelines:  (1) for the reporting, coordinating, publishing, and receiving information about a security vulnerability relating to information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency); and the resolution of such security vulnerability; and (2) for a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing such information system to such contractor, on— receiving information about a potential security vulnerability relating to the information system; and disseminating information about the resolution of a security vulnerability relating to the information system."  The Guidelines are aligned with ISO/IEC 29147 and 30111: "The document defines the Federal Coordination Board (FCB) as the primary interface for vulnerability disclosure reporting and oversight. It also defines Vulnerability Disclosure Program Offices (VDPOs) that are usually part of the Information Technology Security Offices (ITSOs). The FCB and VDPOs work together to address vulnerability disclosure in the Federal Government."

Throughout the development lifecycle, the IoT product developer creates or gathers and stores information relevant to the cybersecurity of the IoT product and its product components. With regards to the vulnerability management policies and processes associated with the IoT product, the IoT product developer should a have the following: i. Methods of receiving reports of vulnerabilitiesii. Processes for recording reported vulnerabilitiesiii. Policy for responding to reported vulnerabilities, including the process of coordinating vulernability response activities among component suppliers and third-party vendorsiv. Policy for disclosing reported vulnerabilitiesv. Processes for receiving notification from component suppliers and third-party vendors about any change in the status of their supplied components, such as end of production, end of support, deprecated status (e.g., the product is no longer recommended for use), or known insecurities.

RA-5: (Vulnerability Monitoring and Scanning) Subsection F states "employ vulnerability monitoring tools that include the capability to readily udpate the vulnerabilities to be scanned." In the discussion of the control, NIST states "vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation."  SR-8: (Notification Agreements) states to "establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Selection (one or more): notification of supply chain compromises; results of assessments or audits; [Assignment: organization-defined information]]."

"To further incentivize the adoption of secure software development practices, the Administration will encourage coordinated vulnerability disclosure across all technology types and sectors."

Requires NIST to issue guidance identifying practices that enhance security of the software supply chain. In the guidance NIST must include standards, procedures, or criteria related to, among other issues, "participating in a vulnerability disclosure program that includes a reporting and disclosure process."