15 U.S.C. § 278g–3c — Guidelines on the disclosure process for security vulnerabilities relating to information systems, including Internet of Things devices
Verified against govinfo.gov as of June 20, 2026View official text on govinfo.gov ↗
- (a)In generalNot later than 180 days after December 4, 2020, the Director of the Institute, in consultation with such cybersecurity researchers and private sector industry experts as the Director considers appropriate, and in consultation with the Secretary, shall develop and publish under section 278g–3 of this title guidelines—
- (b)ElementsThe guidelines published under subsection (a) shall—
- (1)to the maximum extent practicable, be aligned with industry best practices and Standards 29147 and 30111 of the International Standards Organization (or any successor standard) or any other appropriate, relevant, and widely-used standard;
- (2)incorporate guidelines on—
- (A)receiving information about a potential security vulnerability relating to an information system owned or controlled by an agency (including an Internet of Things device); and
- (B)disseminating information about the resolution of a security vulnerability relating to an information system owned or controlled by an agency (including an Internet of Things device); and
- (3)be consistent with the policies and procedures produced under section 659(m) of title 6.
- (c)Information itemsThe guidelines published under subsection (a) shall include example content, on the information items that should be reported, coordinated, published, or received pursuant to this section by a contractor, or any subcontractor thereof at any tier, providing an information system (including Internet of Things device) to the Federal Government.
- (d)OversightThe Director of OMB shall oversee the implementation of the guidelines published under subsection (a).
- (e)Operational and technical assistanceThe Secretary, in consultation with the Director of OMB, shall administer the implementation of the guidelines published under subsection (a) and provide operational and technical assistance in implementing such guidelines.