Rep. Nancy Mace, R-S.C., has reintroduced legislation that would require the Office of Management and Budget (OMB) and the Department of Defense (DoD) to update Federal acquisition policies so that all federal contractors are required to implement vulnerability disclosure policies (VDPs) that comply with National Institute of Standards and Technology guidelines.
The congresswoman, who chairs the House Cybersecurity, Information Technology, and Government Innovation Subcommittee, first introduced the bill in August 2023. The measure was favorably reported out of the House Oversight and Government Reform Committee in early 2024.
The House bill attracted a Senate companion measure in August 2024 – spearheaded by Sens. Mark Warner, D-Va., and James Lankford, R-Okla. – which cleared the Senate Homeland Security and Governmental Affairs Committee in November.
“This is a matter of national security,” said Rep. Mace of the bill’s aims. “Federal contractors handle some of the most sensitive information and critical infrastructure in the country. Without basic vulnerability disclosure policies, we are leaving a gaping hole in our cybersecurity defenses.”
“This bipartisan bill ensures contractors uphold the same cybersecurity standards as federal agencies, reducing risks before they turn into catastrophic breaches,” she continued.
In 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and OMB required Federal agencies to develop and publish VDPs for their internet-accessible systems, creating a proactive measure to protect and gain insight into critical systems.
Yet not all contractors are required to implement VDPs, with the IoT Cybersecurity Improvement Act of 2020 standing as the only current guideline applicable to certain Federal contractors.
If it becomes law, the legislation would OMB to oversee updates to the Federal Acquisition Regulation (FAR) to enforce VDP requirements for civilian contractors. The Secretary of Defense would be charged with ensuring the Defense Federal Acquisition Regulation Supplement (DFARS) enforces the same requirements across defense contractors.
“Cybersecurity isn’t optional, it’s essential. To ensure that our systems are fully secure, we need to make sure federal contractors follow national guidelines to protect digital infrastructure,” said Rep. Shontel Brown, D-Ohio, who is cosponsoring the bill.
“As our nation faces escalating cyber threats from China and other foreign adversaries, it is critical to protect sensitive government information and personal data,” said Ilona Cohen, chief legal and policy officer at HackerOne, in a statement today.
“The Federal Contractor Cybersecurity Vulnerability Reduction Act addresses a gap in our nation’s cybersecurity defenses by requiring federal contractors to take a proactive approach to identifying and mitigating vulnerabilities before they can be exploited,” Cohen said. “We commend Representatives Mace and Brown for their leadership on this essential legislation.”
