The bill strengthens federal supply-chain cybersecurity and transparency by requiring vulnerability reporting and aligning practices with recognized standards, but it shifts compliance costs to contractors and forces implementation within existing agency budgets, risking underfunding, service delays, and uneven protections if waivers are overused.
Government contractors and federal agencies: covered contractors must solicit and address security vulnerability reports, improving detection and remediation of software and system flaws used in federal contracts.
Government contractors and federal supply chains: aligning contractor policies with NIST guidance and ISO standards promotes consistent, industry-recognized cybersecurity practices across vendors supporting the federal government.
Federal oversight and taxpayers: agency CIOs must notify congressional oversight committees when waivers are granted, increasing transparency about national-security or research exceptions to vulnerability reporting.
Federal agencies, state partners, nonprofits, and program beneficiaries: because the Act cannot receive new appropriations, implementation may be underfunded, forcing agencies to absorb costs, reduce or delay services, or reallocate funds from other priorities.
Government contractors and taxpayers: contractors will incur compliance costs to implement and maintain vulnerability disclosure programs, which can raise bid and contract prices.
Federal systems and taxpayers: the waiver authority for national-security or research purposes could be overused, creating uneven protection if some contracts or systems are exempted from vulnerability reporting.
Based on analysis of 3 sections of legislative text.
Directs OMB and the FAR Council to add FAR contract clauses requiring covered federal contractors to solicit and address vulnerability reports consistent with NIST; agencies may grant limited waivers; no new funds authorized.
Official title: Require Federal contractors to implement a vulnerability disclosure policy consistent with NIST guidelines, and for other purposes.
Introduced May 22, 2025 by Mark R. Warner · Last progress May 22, 2025
Requires federal agencies, led by OMB with input from CISA, NIST, and the National Cyber Director, to update Federal Acquisition Regulation (FAR) contract language so covered federal contractors must operate vulnerability disclosure programs consistent with NIST guidance. OMB must recommend FAR language within 180 days of enactment, and the FAR Council must amend the FAR within 180 days of receiving those recommendations; agencies may grant limited national-security or research waivers but must notify congressional oversight committees. No new appropriation authority is provided; implementation must use existing funds.