This bill aims to boost cybersecurity for government work by requiring federal contractors to set up a clear way for security researchers and the public to report software flaws—and for contractors to fix them. The rules must follow federal and industry guidelines, including NIST and ISO standards, and will be built into federal contracts through updates to the Federal Acquisition Regulation (FAR) .

The Office of Management and Budget will review current contract language and recommend updates, and then the FAR Council will add the new requirements. Agencies can grant limited waivers for national security or research reasons, with notice to Congress. No new funding is provided for this effort .

• Key points:
  • Who is affected: Companies that contract with the federal government (“covered contractors”) and run information systems used to perform federal work .
  • What changes: Contractors must have a vulnerability disclosure policy, actively invite reports of security issues, and address those issues, aligned with NIST and ISO standards and existing federal IoT security rules .
  • When: OMB has 180 days after enactment to recommend FAR updates, and the FAR Council then has 180 days to finalize changes after receiving those recommendations .
  • Exceptions: An agency may waive the requirement for national security or research, with a written justification and notice to Congress .
  • Funding: No additional money is authorized to carry this out .