Rep. Ted Lieu, D-Calif., on Aug. 29 reintroduced his Improving Contractor Cybersecurity Act, which aims to require vendors that wish to do business with the United States government to maintain vulnerability disclosure policies (VDP) and programs.
The bill states that the head of an executive agency may not enter into a contract for information technology unless the contractor maintains a VDP for IT.
Rep. Lieu previously introduced the legislation in 2021, but it failed to make it out of the House Oversight and Accountability Committee.
“I have long been a supporter of vulnerability disclosure policies and programs (VDPs) in both the federal government and private sector,” Rep. Lieu said when he first introduced the legislation two years ago. “They allow security researchers to find software vulnerabilities and notify owners before they can be exploited by bad actors.”
He added, “There is no reason government contractors shouldn’t also be asked to maintain vulnerability disclosure policies, given the complex web of third-party vendors on which the United States relies.?”
Rep. Lieu’s reintroduction of the bill comes just five days after Rep. Nancy Mace, R-S.C., introduced the Federal Cybersecurity Vulnerability Reduction Act, which aims to help Federal contractors identify and fix software vulnerabilities before adversaries can exploit them.
Rep. Mace’s legislation would require all Federal contractors to implement VDPs in an effort to better protect information systems for both the public and private sectors.
Through the new bill, Rep. Mace – the chairwoman of the House Oversight Subcommittee on Cybersecurity, Information Technology, and Government Innovation – aims to bring a comprehensive approach to protecting Federal systems and data. By requiring VDPs for Federal contractors, the bill would ensure continuous monitoring of Federal contractors’ business systems and offer clear instructions to the security researchers who safely disclose the vulnerabilities.