PRIA Logo
Take the PRIA Score
Title 15Commerce and TradeRelease 119-73

§278g–3c Guidelines on the disclosure process for security vulnerabilities relating to information systems, including Internet of Things devices

Title 15 › Chapter CHAPTER 7— - NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY › § 278g–3c

Last updated Apr 6, 2026|Official source

Summary

The Director of the Institute must, within 180 days after December 4, 2020, work with cybersecurity researchers, industry experts, and the Secretary to create and publish guidelines. The guidelines will tell agencies, contractors, and subcontractors how to report, share, publish, and receive information about security problems in agency information systems, including Internet of Things devices, and how to report fixes. The guidelines must follow industry best practices and, when practical, match ISO Standards 29147 and 30111 (or their successors). They must include example content showing what details contractors should report or share. The Director of OMB will oversee putting the rules into practice, and the Secretary, with the Director of OMB, will run the implementation and provide technical and operational help.

Full Legal Text

Title 15, §278g–3c

Commerce and Trade — Source: USLM XML via OLRC

(a)Not later than 180 days after December 4, 2020, the Director of the Institute, in consultation with such cybersecurity researchers and private sector industry experts as the Director considers appropriate, and in consultation with the Secretary, shall develop and publish under section 278g–3 of this title guidelines—
(1)for the reporting, coordinating, publishing, and receiving of information about—
(A)a security vulnerability relating to information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency); and
(B)the resolution of such security vulnerability; and
(2)for a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing such information system to such contractor, on—
(A)receiving information about a potential security vulnerability relating to the information system; and
(B)disseminating information about the resolution of a security vulnerability relating to the information system.
(b)The guidelines published under subsection (a) shall—
(1)to the maximum extent practicable, be aligned with industry best practices and Standards 29147 and 30111 of the International Standards Organization (or any successor standard) or any other appropriate, relevant, and widely-used standard;
(2)incorporate guidelines on—
(A)receiving information about a potential security vulnerability relating to an information system owned or controlled by an agency (including an Internet of Things device); and
(B)disseminating information about the resolution of a security vulnerability relating to an information system owned or controlled by an agency (including an Internet of Things device); and
(3)be consistent with the policies and procedures produced under section 659(m) of title 6.
(c)The guidelines published under subsection (a) shall include example content, on the information items that should be reported, coordinated, published, or received pursuant to this section by a contractor, or any subcontractor thereof at any tier, providing an information system (including Internet of Things device) to the Federal Government.
(d)The Director of OMB shall oversee the implementation of the guidelines published under subsection (a).
(e)The Secretary, in consultation with the Director of OMB, shall administer the implementation of the guidelines published under subsection (a) and provide operational and technical assistance in implementing such guidelines.

Legislative History

Notes & Related Subsidiaries

Editorial Notes

Codification Section was enacted as part of the Internet of Things Cybersecurity Improvement Act of 2020, also known as the IoT Cybersecurity Improvement Act of 2020, and not as part of the National Institute of Standards and Technology Act which comprises this chapter.

Statutory Notes and Related Subsidiaries

Definitions For definitions of terms used in this section, see section 278g–3a of this title.

Reference

Citations & Metadata

Citation

15 U.S.C. § 278g–3c

Title 15Commerce and Trade

Last Updated

Apr 6, 2026

Release point: 119-73