Recommendations for Federal Vulnerability Disclosure Guidelines

Schaffer, Kim; Mell, Peter; Trinh, Hung; Van Wyk, Isabel

doi:https://doi.org/10.6028/NIST.SP.800-216

SP 800-216

Recommendations for Federal Vulnerability Disclosure Guidelines

Documentation Topics

Date Published: May 2023

Planning Note (5/24/2023): Send inquiries about this publication to sp800-216-comments@nist.gov.

Author(s)

Kim Schaffer (NIST), Peter Mell (NIST), Hung Trinh (NIST), Isabel Van Wyk (NIST)

Abstract

Receiving reports on suspected security vulnerabilities in information systems is one of the best ways for developers and services to become aware of issues. Formalizing actions to accept, assess, and manage vulnerability disclosure reports can help reduce known security vulnerabilities. This document recommends guidance for establishing a federal vulnerability disclosure framework, properly handling vulnerability reports, and communicating the mitigation and/or remediation of vulnerabilities. The framework allows for local resolution support while providing federal oversight and should be applied to all software, hardware, and digital services under federal control.

Keywords

advisory; Federal Coordination Body; findings report; source vulnerability report; vulnerability communication; Vulnerability Disclosure; Vulnerability Disclosure Policy; Vulnerability Disclosure Program Office; vulnerability processing; vulnerability tracking

Control Families

None selected

Documentation

Publication:
SP 800-216 (DOI)
Local Download

Supplemental Material:
None available

Document History:
06/07/21: SP 800-216 (Draft)
05/24/23: SP 800-216 (Final)

Topics

Security and Privacy
threats; vulnerability management

Laws and Regulations
Internet of Things Cybersecurity Improvement Act