Advertisement

Vulnerability disclosure policy bill for federal contractors clears Senate panel

The Homeland Security and Governmental Affairs Committee on Wednesday also advanced legislation to strengthen the federal IT supply chain.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
Sen. Mark Warner, D-Va., speaks during a press conference in Washington, D.C., on March 20, 2018. From left, Sens. John Cornyn, James Lankford, Susan Collins and Richard Burr listen. (NICHOLAS KAMM/AFP via Getty Images)

A bill that would require federal contractors to implement vulnerability disclosure policies that comply with National Institute of Standards and Technology guidelines cleared a key Senate panel Wednesday, setting the bipartisan legislation up for a vote before the full chamber.

The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 (S. 5028) from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., sailed through the Senate Homeland Security and Governmental Affairs Committee, after a companion bill from Rep. Nancy Mace, R-S.C., passed the House Oversight Committee in May.

The bill from Warner and Lankford would formalize a structure for contractors to receive vulnerability reports about their products and take action against them ahead of an attack. In announcing the legislation in August, Warner said that vulnerability disclosure policies, or VDPs, “are a crucial tool used to proactively identify and address software vulnerabilities,” and that this bill would “better protect our critical infrastructure and sensitive data from potential attacks.”

Federal law mandates that civilian federal agencies have VDPs, but no standard currently exists for federal contractors. The legislation would require contractors to accept, assess and manage any vulnerability reports that they receive.

Advertisement

The legislation was previously touted by cyber firms including Palo Alto Networks and HackerOne. In a statement provided to CyberScoop on Wednesday, Ilona Cohen, HackerOne’s chief legal and policy officer, said “the overwhelming bipartisan support in both the Senate and House” of the bill “provides additional momentum for enacting this legislation as part of this year’s” National Defense Authorization Act.

The bill was written in part as a response to the 2015 Office of Personnel Management data breach, in which vulnerabilities in systems used by two contractors that stored data on federal employee background checks were exploited. 

“Federal agencies have made significant progress in implementing vulnerability disclosure policies,” Cohen said. “This legislation will address a gap in our nation’s cybersecurity defenses by requiring contractors to adopt this best practice to protect government information and personal data.”

Other cyber bills move forward

Days after Sens. Gary Peters, D-Mich., and Mike Rounds, R-S.D., introduced legislation to strengthen oversight powers of an interagency federal council charged with securing the government’s IT supply chain, the bill cleared HSGAC and now awaits a full Senate vote.

Advertisement

The Federal Acquisition Security Council Improvement Act of 2024 (S. 5310) from Peters, who chairs HSGAC, and Rounds, a member of the Senate Intelligence Committee, seeks to combat security threats posed by technology products made by companies with ties to foreign adversaries, particularly China. 

The legislation, a companion to a House bill introduced in September, would give the Office of the National Cyber Director leadership authorities over the Federal Acquisition Security Council, which is currently overseen by the Office of Management and Budget.

The bill also aims to push the FASC to pursue orders to block the use of technologies that may threaten national security — something the council hasn’t done in its six years of existence. The legislation would establish a process to allow Congress to initiate investigations into potentially risky tech, with the FASC then ordering a ban on government purchases of that product or a ban on products from the company in question. 

Two pieces of cybersecurity workforce legislation also cleared the Senate panel Wednesday: the DHS Cybersecurity On-the-Job Training Program Act (H.R. 3208) and the DHS Cybersecurity Internship Program Act (S. 5321). Both bills would amend the Homeland Security Act of 2002. 

The first bill, introduced last year by Rep. Sheila Jackson Lee, D-Texas, directs DHS to develop a program to train agency workers on cyber-related matters at the department. The second bill, from Peters and Rep. Yvette Clarke, D-N.Y., would create a paid cybersecurity internship program within DHS.

Matt Bracken

Written by Matt Bracken

Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at matt.bracken@scoopnewsgroup.com.

Latest Podcasts