US Code
CHAPTER 7— NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
§ 278g–3c. Guidelines on the disclosure process for security vulnerabilities relating to information systems, including Internet of Things devices

(a) In generalNot later than 180 days after December 4, 2020, the Director of the Institute, in consultation with such cybersecurity researchers and private sector industry experts as the Director considers appropriate, and in consultation with the Secretary, shall develop and publish under section 278g–3 of this title guidelines—(1) for the reporting, coordinating, publishing, and receiving of information about—(A) a security vulnerability relating to information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency); and
(B) the resolution of such security vulnerability; and
(2) for a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing such information system to such contractor, on—(A) receiving information about a potential security vulnerability relating to the information system; and
(B) disseminating information about the resolution of a security vulnerability relating to the information system.
(b) ElementsThe guidelines published under subsection (a) shall—(1) to the maximum extent practicable, be aligned with industry best practices and Standards 29147 and 30111 of the International Standards Organization (or any successor standard) or any other appropriate, relevant, and widely-used standard;
(2) incorporate guidelines on—(A) receiving information about a potential security vulnerability relating to an information system owned or controlled by an agency (including an Internet of Things device); and
(B) disseminating information about the resolution of a security vulnerability relating to an information system owned or controlled by an agency (including an Internet of Things device); and
(3) be consistent with the policies and procedures produced under section 659(m) of title 6.
(c) Information itemsThe guidelines published under subsection (a) shall include example content, on the information items that should be reported, coordinated, published, or received pursuant to this section by a contractor, or any subcontractor thereof at any tier, providing an information system (including Internet of Things device) to the Federal Government.
(d) OversightThe Director of OMB shall oversee the implementation of the guidelines published under subsection (a).
(e) Operational and technical assistanceThe Secretary, in consultation with the Director of OMB, shall administer the implementation of the guidelines published under subsection (a) and provide operational and technical assistance in implementing such guidelines.

<< Previous
Next >>

Structure US Code

US Code

Title 15— COMMERCE AND TRADE

CHAPTER 7— NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

§ 271. Findings and purposes

§ 272. Establishment, functions, and activities

§ 272a. Technology services

§ 272b. Annual budget submission

§ 273. Functions; for whom exercised

§ 273a. Under Secretary of Commerce for Standards and Technology

§ 274. Director; powers and duties; report; compensation

§ 275. Hiring critical technical experts

§ 275a. Service charges

§ 275b. Charges for activities performed for other agencies

§ 275c. Cost recovery authority

§ 276. Ownership of facilities

§ 277. Regulations

§ 278. Visiting Committee on Advanced Technology

§ 278a. Repealed. , ,

§ 278b. Working Capital Fund

§ 278c. Acquisition of land for field sites

§ 278d. Construction and improvement of buildings and facilities

§ 278e. Functions and activities

§ 278f. Fire Research Center

§ 278g. International activities

§ 278g–1. Education and outreach

§ 278g–2. Post-doctoral fellowship program

§ 278g–2a. Teacher science and technology enhancement Institute program

§ 278g–3. Computer standards program

§ 278g–3a. Definitions

§ 278g–3b. Security standards and guidelines for agencies on use and management of Internet of Things devices

§ 278g–3c. Guidelines on the disclosure process for security vulnerabilities relating to information systems, including Internet of Things devices

§ 278g–3d. Implementation of coordinated disclosure of security vulnerabilities relating to agency information systems, including Internet of Things devices

§ 278g–3e. Contractor compliance with coordinated disclosure of security vulnerabilities relating to agency Internet of Things devices

§ 278g–4. Information Security and Privacy Advisory Board

§ 278g–5. Enterprise integration initiative

§ 278h. Research program on security of computer systems

§ 278h–1. Standards for artificial intelligence

§ 278i. Reports to Congress

§ 278j. Studies by National Research Council

§ 278k. Hollings Manufacturing Extension Partnership

§ 278k–1. Competitive awards program

§ 278k–2. Expansion awards pilot program

§ 278l. Assistance to State technology programs

§ 278m. Repealed. , ,

§ 278n. Repealed. , ,

§ 278n–1. Emergency communication and tracking technologies research initiative

§ 278n–2. Green manufacturing and construction

§ 278o. User fees

§ 278p. Notice to Congress

§ 278q. Appropriations; availability

§ 278r. Collaborative manufacturing research pilot grants

§ 278s. Manufacturing USA

§ 278t. Advanced communications research activities

§ 279. Absence of Director

§§ 280, 281. Repealed. , ,

§ 281a. Structural failures

§ 282. Repealed. , ,

§ 282a. Assessment of emerging technologies requiring research in metrology

§ 283. Repealed. , , , 656

§ 284. Omitted

§§ 285, 286. Repealed. , ,