New bill would require all federal contractors to develop vulnerability disclosure policies
The Federal Cybersecurity Vulnerability Reduction Act aims to establish standardized vulnerability disclosure policies across all federal contractors.
Rep. Nancy Mace, R-S.C., has introduced a bill Thursday that would require all federal contractors to implement vulnerability disclosure policies, as part of an effort to prevent the exploitation of software vulnerabilities on federal networks.
The Federal Cybersecurity Vulnerability Reduction Act instructs the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology to develop recommendations for the Federal Acquisition Regulation Council to update contract requirements, ensuring federal contractors implement vulnerability disclosure policies consistent with NIST guidelines.
The bill also calls on the Defense Department specifically to develop new requirements for all contractors to implement standardized vulnerability disclosure policies within six months, and tasks the Defense secretary with revising current acquisition regulations to include new information sharing requirements for contractors that face potential security vulnerabilities.
Mace, who serves as chair of the House Oversight Subcommittee on Cybersecurity, Information Technology and Government Innovation, said in a statement that the new bill will play a "crucial role" in safeguarding U.S. digital infrastructure.
"By mandating vulnerability disclosure policies for federal contractors, we can ensure a proactive approach to cybersecurity," she said, adding that the bill "empowers contractors to stay ahead of malicious actors, preventing potential exploits and protecting sensitive information."
The legislation builds off recent federal guidance instructing agencies to develop and implement vulnerability disclosure policies, including a binding operational directive published by CISA in 2020. OMB also issued a vulnerability disclosure policy that provided a roadmap for agencies to manage their vulnerability research programs that same year.
Ilona Cohen, chief legal and policy officer of the cybersecurity firm HackerOne, said the new bill "fills an important gap in the security of contractors who are supporting government functions."
Currently, the Internet of Things Cybersecurity Improvement Act of 2020 only requires certain contractors to implement disclosure policies.
"Engaging the security researcher community through [vulnerability disclosure policies] is a proven, effective way for federal contractors to identify vulnerabilities in their systems," Cohen said.
The National Cybersecurity Strategy implementation plan, released in July, also called for coordinated vulnerability disclosures across the public and private sectors, tasking CISA with building domestic and international support for increased vulnerability disclosures and establishing an international vulnerability coordinator community of practice.