Sponsors (2)
Introduced January 31, 2025 by Nancy Mace · Last progress March 4, 2025
The bill improves federal vulnerability disclosure and alignment with established cybersecurity standards—boosting coordinated security and transparency—but imposes compliance costs that could raise contract prices and deter some smaller vendors, and includes waivers that limit uniform security gains.
Government contractors and taxpayers: Contractors must accept and process reports of security vulnerabilities, increasing the likelihood contractor-controlled systems are identified and patched faster.
Government contractors and federal employees: Contractor policies will be aligned with NIST, IoT Act, and ISO standards, creating consistent, widely accepted procedures for coordinated vulnerability disclosure.
Federal employees and contractors: A waiver process with required congressional notification preserves flexibility for national-security or research exceptions while adding transparency about when and why exceptions are made.
Government contractors and taxpayers: Contractors will face increased compliance costs to implement disclosure programs, which could raise contract prices or administrative burden.
Taxpayers and government contractors: Waivers for national security or research could leave some systems without standardized disclosure processes, reducing the security benefits for the affected contracts.
Small businesses and potential federal vendors: Tighter contractor obligations could deter some suppliers from bidding on federal contracts or increase contracting complexity for smaller vendors, reducing competition.
Based on analysis of 2 sections of legislative text.
Directs OMB/CISA/NIST review and requires FAR/DFARS updates so covered federal contractors must accept reports of potential security vulnerabilities, aligned with IoT Act and ISO standards.
Requires federal agencies and the Department of Defense to update acquisition rules so covered federal contractors must accept reports of potential security vulnerabilities in contractor-controlled information systems used to perform federal contracts. Sets timelines for OMB (with CISA, NIST, National Cyber Director, and other agencies) to review current FAR language and for the FAR Council and DoD to issue updated FAR/DFARS clauses aligned with existing IoT cybersecurity provisions and ISO vulnerability-disclosure standards. Allows agency and DoD CIO waivers when necessary for national security or research purposes, with written notification to relevant congressional committees. Defines key terms and ties coverage to the simplified acquisition threshold; does not authorize new spending or specify enforcement penalties in the text provided.