House passes bill requiring federal contractors to have vulnerability disclosure policies
A bill that would close a loophole in federal cybersecurity standards by requiring government contractors to abide by vulnerability disclosure policies moved one step closer to law Monday after sailing through the House.
The passage of the Federal Contractor Cybersecurity Vulnerability Reduction Act in the House came a month after Reps. Nancy Mace, R-S.C., and Shontel Brown, D-Ohio reintroduced their legislation, which had a companion version last year from Sens. Mark Warner, D-Va., and James Lankford, R-Okla.
Under the bill, covered contractors with the federal government would have to implement vulnerability disclosure policies (VDPs) that are consistent with National Institute of Standards and Technology guidelines. The Office of Management and Budget and the Defense Department would be required to update federal acquisition policies accordingly.
Mace said in a floor speech Monday that the policies currently in place for federal agencies enable third-party researchers and white-hat hackers to work with the government to identify and patch vulnerabilities before a cyberattack occurs, preventing “malign actors affiliated with China, Russia, Iran and others” to exploit insecure IT systems.
“This was an important step in federal cybersecurity, but the work of federal agencies is supplemented by millions of contractors working on behalf of federal departments and agencies,” said Mace, who chairs the House Oversight and Government Reform Subcommittee on Cybersecurity, Information Technology, and Government Innovation.
The federal government awards over 11 million contracts annually, Mace added, giving contractors access to “vast amounts of sensitive information, including personally identifiable information of American citizens.” Compelling federal contractors to follow NIST best practices and guidelines “will help protect the sensitive data of American citizens and our national security,” she said.
Rep. Gerry Connolly, D-Va., ranking member of the House Oversight Committee, called VDPs “an extremely effective tool” to defend systems from cyber threats.
“Most federal agencies already have such policies, as do federal contractors and subcontractors providing information systems and Internet of Things devices to federal agencies,” he said. “By requiring all federal contractors to follow suit, this bill shores up another front in the neverending battle to protect the federal government’s information systems and data, and thereby the American public.”
The bill is backed by several tech companies, including Microsoft, Tenable, Trend Micro and Schneider Electric. A letter from HackerOne and signed by those companies and others was sent to congressional leadership Friday, urging the lawmakers to “swiftly” pass the legislation.
“We commend the bill’s co-sponsors for their leadership on this issue and applaud the House for making this legislation a priority,” Ilona Cohen, chief legal and policy officer of HackerOne, said in a statement. “We look forward to working with the Senate to enact this important bipartisan legislation that will increase protections for sensitive government information and personal data.”
