Sponsors (2)
The bill standardizes and strengthens vulnerability disclosure across federal contractors and increases oversight—improving chances vulnerabilities are fixed—at the cost of added compliance expenses, potential security gaps from authorized waivers, and short-term agency resource burdens.
Government contractors will be required to receive and handle security vulnerability reports, increasing the chance software and systems used by the federal government are fixed before exploitation.
Contractor vulnerability disclosure policies will be aligned with NIST guidance and ISO standards, standardizing best practices across federal contractors and improving overall supply-chain cybersecurity consistency.
Agencies and the Department of Defense must notify Congress when national security or research waivers are used, increasing congressional oversight of exceptions to reporting requirements.
Allowing waivers for national security or research could limit vulnerability reporting and remediation for some systems, leaving certain government systems and the public they serve less protected.
Covered contractors will face added compliance costs to implement and operate vulnerability disclosure programs, which could increase contract execution costs borne by contractors and ultimately taxpayers.
Agencies (OMB, FAR Council, DoD) must meet tight 180-day deadlines, requiring staff time that diverts federal employees from other work and program priorities.
Based on analysis of 2 sections of legislative text.
Requires updates to FAR/DFARS so covered contractors must implement vulnerability disclosure programs aligned with NIST/IoT guidance and ISO standards, with limited waivers.
Introduced January 31, 2025 by Nancy Mace · Last progress March 4, 2025
Requires federal rulemakers to update procurement rules so covered federal contractors must accept and process reports of security vulnerabilities in contractor-controlled information systems. OMB (with CISA, NIST, the National Cyber Director, and other agencies) must recommend updates to the FAR within 180 days of enactment, and the FAR Council must revise the FAR within 180 days after receiving those recommendations; the Department of Defense must carry out a parallel review and update the DFARS on the same timeline. Updates must align, to the maximum extent practicable, with existing NIST guidance, the IoT Cybersecurity Improvement Act provisions, and ISO vulnerability-disclosure standards. Agencies may grant written waivers for national security or research reasons; those waivers require written justification and 30-day congressional notification. The law also defines key terms (for example, "covered contractor," "security vulnerability," and procurement terms) and applies to contracts above the simplified acquisition threshold unless waived for specified reasons.