The House voted on March 3 to approve a bill requiring the Office of Management and Budget (OMB) and the Department of Defense (DoD) to take steps to prevent cybersecurity vulnerabilities posed by Federal contractors.
The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 requires OMB and DoD to require all Federal contractors to implement vulnerability disclosure policies consistent with guidelines from the National Institute for Standards and Technology (NIST).
The bill enjoyed bipartisan support in the House with Reps. Nacy Mace, R-S.C., and Shontel Brown, D-Ohio, as cosponsors.
“My bill would close a crucial vulnerability and protect our nation from malicious actors who seek to steal our data and harm our citizens,” Mace said during debate on the House floor Monday.
The bill tells OMB and DoD to make recommendations to its contractors based on the Federal Acquisition Regulation (FAR) and to update contract requirements and language for contractor vulnerability disclosures.
“Federal contractors with access to government systems and data should have the same safeguards in place as the government itself, ensuring Federal systems and data are protected and security vulnerabilities are addressed,” Mace said.
“Until these vulnerability disclosure policies are adopted across the entire Federal digital ecosystem, our nation’s data and security is at risk,” Mace said.
The recommendations apply to contractors whose contract is at or above the simple acquisition threshold of $250,000, and for contractors that use, operate, manage, or maintain an agency’s information systems.
After recommendations are made, the Federal Acquisition Regulation Council must notify contractors of any vulnerability in an information system owned or controlled by that contractor in its service to OMB.
At the DoD, the defense secretary must take recommendations to revise the Defense Federal Acquisition Regulation Supplement (DFARS), which outlines legal requirements, DoD policies, and acquisition authorities. The recommendations must include requirements for contractors to be notified of potential security vulnerabilities in their information systems.
Officials from cybersecurity platform provider HackerOne celebrated the House vote in a statement today.
“We commend the bill’s co-sponsors for their leadership on this issue and applaud the House for making this legislation a priority,” said Ilona Cohen, chief legal and policy officer of HackerOne. “We look forward to working with the Senate to enact this important bipartisan legislation that will increase protections for sensitive government information and personal data,” Cohen added.
