Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025

This bill makes federal contractors set up clear, safe ways to report cybersecurity “bugs” in the systems they use for government work. It tells the Office of Management and Budget to review and update federal contracting rules so contractors can receive and fix reports about security flaws, using National Institute of Standards and Technology (NIST) guidelines and common industry standards. These updates are due about six months after the bill becomes law, with another six months for the contracting rules to be changed. Similar updates must be made for Defense Department contracts as well.

It applies to contractors with most contracts worth $250,000 or more, and to any contractor that runs or manages a federal information system for an agency. Agencies can grant waivers only when needed for national security or research, and they must notify Congress soon after. The goal is to make it easier for security researchers and others to responsibly report problems, so contractors can fix issues faster and better protect government data.

Key points

• Who is affected: Federal contractors on larger contracts and those operating federal systems.
• What changes: Contract rules will require a clear vulnerability reporting process that follows NIST guidance and industry best practices.
• When: Reviews are due within about 6 months of the law taking effect, with rule updates to follow within the next 6 months.
• Exceptions: Limited waivers allowed for national security or research, with notice to Congress.