A bipartisan pair of senators today announced their plan to introduce companion legislation to strengthen Federal cybersecurity by requiring government contractors to implement vulnerability disclosure policies (VDPs).
The Federal Contractor Cybersecurity Vulnerability Reduction Act was first introduced in the House by Rep. Nancy Mace, R-S.C., in August 2023 and was favorably reported out of committee earlier this year and is now awaiting the full House for further consideration.
The Senate legislation – spearheaded by Sens. Mark Warner, D-Va., and James Lankford, R-Okla. – would require all Federal contractors to implement VDPs in an effort to better protect information systems for both the public and private sectors.
“VDPs are a crucial tool used to proactively identify and address software vulnerabilities,” Sen. Warner said in a statement today. “This legislation will ensure that Federal contractors, along with Federal agencies, are adhering to national guidelines that will better protect our critical infrastructure, and sensitive data from potential attacks.”
“Federal agencies and contractors must be quickly made aware of cyber vulnerabilities, so they can resolve them. By strengthening cybersecurity efforts, contractors and agencies can keep their focus on serving the American people and keep data and systems safe from cybercrimes and hacking,” Sen. Lankford said.
The Federal government has long recognized VDPs as one of the most effective methods for retaining insights into security vulnerabilities. In fact, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) required Federal agencies to develop and publish VDPs for their internet-accessible systems in 2020.
However, not all Federal contractors are required to implement VDPs. The IoT Cybersecurity Improvement Act of 2020 – led by Sen. Warner – is the only current guideline that applies to certain Federal contractors, but not all contractors are required to implement VDPs.
The bicameral, bipartisan bill would require OMB to update the Federal Acquisition Regulation (FAR) to ensure Federal contractors implement VDPs and require the Secretary of Defense to oversee updates to the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements to ensure defense contractors implement the same.
“This bipartisan legislation addresses a critical gap in our nation’s cybersecurity protections by bringing the practices of Federal contractors in line with those of the agencies they serve and with guidelines issued by the National Institute of Standards and Technology,” said Ilona Cohen, chief legal and policy officer of HackerOne. “This proactive approach to security will ensure that businesses are actively protecting government systems, critical infrastructure, and sensitive data from exploitation by malicious actors. We applaud Senators Warner and Lankford for their leadership on this important issue.”