The House Oversight and Accountability Committee voted on May 15 to approve a bill that would require implementation of vulnerability disclosure policies by Federal contractors. The bill will now go to the full House of Representatives for further consideration.
The Federal Contractor Vulnerability Elimination Act of 2024 was introduced by Rep. Nancy Mace, R-S.C., who chairs the House Oversight Subcommittee on Cybersecurity, Information Technology and Government Innovation.
Implementation of the vulnerability disclosure policies “would ensure that federal contractors promptly receive information about potential security vulnerabilities in their information systems, enabling them to take proactive measures to address and mitigate any risks,” the congresswoman’s office said.
The legislation would task the Office of Management and Budget (OMB) with updating the Federal Acquisition Regulation to include requirements for covered contractors to implement the vulnerability disclosure policies. The bill would also require contractors doing business with the Defense Department to follow the updated procurement regulations, Rep. Mace’s office said.
The proposed new policies would be consistent with standards developed by the National Institute of Standards and Technology.
“By mandating Vulnerability Disclosure Policies (VDP) for federal contractors, we can ensure a proactive approach to cybersecurity, enabling contractors to identify and address software vulnerabilities promptly,” Rep. Mace said after the committee’s vote.
“This legislation, aligned with internationally recognized standards, empowers contractors to stay ahead of malicious actors, preventing potential exploits and protecting sensitive information,” she said.
“Federal agencies must act quickly when dealing with a cyber-attack,” said full committee Chairman James Comer, R-Ky. “The sooner a federal agency knows it may have a problem, the sooner it can take steps to protect its systems and data, including the personal data of millions of Americans. It’s reasonable to require federal contractors to play a proactive role in addressing information system vulnerabilities.”