Senators take another swing at vulnerability disclosure policy bill for federal contractors
A bipartisan pair of senators is taking another shot at legislation that would require federal government contractors to follow National Institute of Standards and Technology guidelines on vulnerability disclosure policies.
The Federal Contractor Cybersecurity Vulnerability Reduction Act from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., advanced out of the chamber’s Homeland Security and Governmental Affairs Committee last November, but never got a full floor vote.
The companion bill from Reps. Nancy Mace, R-S.C., and Shontel Brown, D-Ohio, meanwhile, was reintroduced in January and passed the House in March.
The re-do from Warner and Lankford would make sure government contractors have the same legal obligations that federal agencies do in abiding by NIST’s recommendations on vulnerability disclosure policies. With VDPs, organizations can receive unsolicited reports on software vulnerabilities and patch them before an attack occurs.
Warner said in a press release that VDPs “are crucial tools to help ensure that the federal government is operating using safe cybersecurity practices. This legislation will ensure that companies doing business with the federal government are held to the same standards, better securing the entire supply chain and protecting our national security.”
Said Lankford: “Federal agencies and contractors must be quickly made aware of cyber vulnerabilities, so they can resolve them. By strengthening cybersecurity efforts, contractors and agencies can keep their focus on serving the American people and keep data and systems safe from cybercrimes and hacking.”
The bill includes a requirement for the Office of Management and Budget to monitor updates to the Federal Acquisition Regulation that confirm implementation by federal contractors of VDPs that align with NIST standards. It has a similar callout for the Defense secretary and updates to the Defense Federal Acquisition Regulation Supplement.
The legislation has powerful industry backing: Bruce Byrd, executive vice president and general counsel of Palo Alto Networks, said in a statement that the legislation would “promote federal cyber resilience” and “benefit the entire cybersecurity ecosystem.”
Ilona Cohen, chief legal and policy officer at HackerOne, said the bill “addresses a critical gap in our nation’s defenses. This common sense legislation brings the practices of federal contractors in line with those of the agencies they serve and is essential to protect the government information and personal data they process.”
