Bill requiring federal contractors to have vulnerability disclosure policies gets House redo

Bipartisan legislation to close a loophole in federal cybersecurity standards by requiring vulnerability disclosure policies for government contractors is getting another shot at passage  in this Congress.

The Federal Contractor Cybersecurity Vulnerability Reduction Act, a bicameral, bipartisan bill that stalled out last year in the Senate, was reintroduced Friday in the House by Reps. Nancy Mace, R-S.C., and Shontel Brown, D-Ohio. 

The bill, whose 2024 companion in the upper chamber came from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., calls on the Office of Management and Budget and the Defense Department to update federal acquisition policies to require all federal contractors to institute vulnerability disclosure policies (VDPs).

“This is a matter of national security,” Mace said in a press release. “Federal contractors handle some of the most sensitive information and critical infrastructure in the country. Without basic vulnerability disclosure policies, we are leaving a gaping hole in our cybersecurity defenses. This bipartisan bill ensures contractors uphold the same cybersecurity standards as federal agencies, reducing risks before they turn into catastrophic breaches.”

Brown added that the bill would help to “better protect sensitive data from malicious actors.”

“Cybersecurity isn’t optional, it’s essential,” she said. “To ensure that our systems are fully secure, we need to make sure federal contractors follow national guidelines to protect digital infrastructure.”

Under current law, federal agencies must have vulnerability disclosure policies that align with National Institute of Standards and Technology benchmarks. U.S. government contractors have no such obligation.

In a fact sheet released by Warner and Lankford last August when they rolled out the Senate version of Mace’s bill, the lawmakers pointed to the 2015 Office of Personnel Management data breach, which was made possible by vulnerabilities in systems used by two contractors that stored data on federal employee background checks. 

In the last Congress, the bill had bipartisan support and notable industry backing. Ilona Cohen, chief legal and policy officer of HackerOne, said in a statement to CyberScoop that “escalating cyber threats from China and other foreign adversaries” make it especially “critical to protect sensitive government information and personal data.” 

“The Federal Contractor Cybersecurity Vulnerability Reduction Act addresses a gap in our nation’s cybersecurity defenses by requiring federal contractors to take a proactive approach to identifying and mitigating vulnerabilities before they can be exploited,” Cohen added. “We commend Representatives Mace and Brown for their leadership on this essential legislation.”