In light of rising software supply chain security attacks, Rep. Nancy Mace, R-S.C., introduced new legislation today that aims to help Federal contractors identify and fix software vulnerabilities before adversaries can exploit them.
The Federal Cybersecurity Vulnerability Reduction Act would require all Federal contractors to implement vulnerability disclosure policies (VDPs) in an effort to better protect information systems for both the public and private sectors.
The Federal government has long recognized VDPs as one of the most effective methods for retaining insights into security vulnerabilities. In fact, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) required Federal agencies to develop and publish VDPs for their internet-accessible systems in 2020.
However, not all Federal contractors are required to implement VDPs. The IoT Cybersecurity Improvement Act of 2020 is the only current guideline that applies to certain Federal contractors, but not all contractors are required to implement VDPs.
Through the new bill, Rep. Mace – the chairwoman of the House Oversight Subcommittee on Cybersecurity, Information Technology, and Government Innovation – aims to bring a comprehensive approach to protecting Federal systems and data. By requiring VDPs for Federal contractors, the bill would ensure continuous monitoring of Federal contractors’ business systems and offer clear instructions to the security researchers who safely disclose the vulnerabilities.
“Congresswoman Mace’s introduction of the Federal Cybersecurity Vulnerability Reduction Act fills an important gap in the security of contractors who are supporting government functions,” said Ilona Cohen, chief legal and policy officer of the popular bug bounty program HackerOne.
“Engaging the security researcher community through VDPs is a proven, effective way for Federal contractors to identify vulnerabilities in their systems. HackerOne stands ready to work with Congress to get this legislation passed and implemented,” Cohen added.
Cohen, who previously served as general counsel to OMB, worked hand-in-hand with Rep. Mace to bring this bill to life.
“We want to thank Congresswoman Mace for introducing such important legislation,” added Marten Mickos, CEO of HackerOne. “When Federal contractors can effectively address security vulnerabilities, every U.S. citizen will be better protected against cyberattacks.”
Rep. Ted Lieu, D-Ca., introduced similar legislation in 2021, through his Improving Contractor Cybersecurity Act, which also aimed to require any vendor looking to do business with the Federal government to have VDPs in place.