Are guidance documents laws? No, but they can have legal significance.
The people who generate regulatory guidance documents are not legislators. Legislators delegate to agencies to make rules, and agencies delegate to other organizations to make guidelines. For example [1],
Even HHS, which has express cybersecurity rulemaking authority under the Health Insurance Portability and Accountability Act (HIPAA), has put a lot of the details of what it considers adequate cybersecurity into non-binding guidelines.
I’m not a lawyer, so nothing I can should be considered legal advice. However, the authors of [1] are lawyers.
The legal status of guidance documents is contested. According to [2], Executive Order 13892 said that agencies
may not treat noncompliance with a standard of conduct announced solely in a guidance document as itself a violation of applicable statutes or regulations.
Makes sense to me, but EO 13992 revoked EO 13892.
Again according to [3],
Under the common law, it used to be that government advisories, guidelines, and other non-binding statements were non-binding hearsay [in private litigation]. However, in 1975, the Fifth Circuit held that advisory materials … are an exception to the hearsay rule … It’s not clear if this is now the majority rule.
In short, it’s fuzzy.
[1] Jim Dempsey and John P. Carlin. Cybersecurity Law Fundamentals, Second Edition, page 245.
[2] Ibid., page 199.
[3] Ibid., page 200.