Not all security vulnerabilities can be found through automated processes or testing. Internal and external reporting of security vulnerabilities in software and information systems owned or utilized by the Federal Government is critical to mitigating risk, establishing a robust security posture, and maintaining transparency and trust with the public. In 2020 alone, more than 18,000 vulnerabilities were publicly listed in the National Vulnerability Database (NVD).
NIST is inviting comments on Draft NIST Special Publication (SP) 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines, which establishes a flexible, unified framework for establishing policies and implementing procedures for reporting, assessing, and managing vulnerability disclosures for systems within the Federal Government. Per the Internet of Things Cybersecurity Improvement Act of 2020, Public Law 116-207, and in alignment with ISO/IEC 29147 and ISO/IEC30111, these guidelines address:
NIST is leading this government-wide effort in coordination with other agencies, including the Office of Management and Budget (OMB), the Department of Defense (DoD), and the Department of Homeland Security (DHS).
A public comment period for this document is open through August 9, 2021. See the publication details for a copy of the draft publication and instructions for submitting comments using the comment template provided. For any questions, please contact sp800-216-comments [at] nist.gov (sp800-216-comments[at]nist[dot]gov).
NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.