Sponsors (2)
The bill strengthens federal supply-chain cybersecurity and transparency without new federal spending, but it shifts costs and resource pressure onto contractors and existing agency budgets, which could limit effectiveness and delay or reduce services.
Government contractors and federal agencies: contractors will be required to solicit and address security vulnerability reports, improving detection and remediation of software and system flaws in federal contracts.
Government contractors and tech workers: aligning contractor policies with NIST guidance and ISO standards promotes consistent, industry-recognized cybersecurity practices across federal supply chains.
Taxpayers: the Act prohibits new appropriations so it will not create new direct federal spending obligations.
State governments, nonprofits, program beneficiaries, and federal agencies: because the Act cannot receive new appropriations, implementation may be underfunded—limiting the Act's effectiveness and causing services or benefits to be reduced, delayed, or never delivered.
Government contractors and taxpayers: covered contractors will incur compliance costs to implement and maintain vulnerability disclosure programs, which could raise contract prices or bid costs passed through to taxpayers.
Federal employees and taxpayers: waiver authority for national-security or research purposes could be overused, producing uneven protection across federal systems and leaving some systems less exposed to vulnerability reporting.
Based on analysis of 3 sections of legislative text.
Directs OMB and agencies to update FAR contract language so covered contractors must solicit and address vulnerability reports for contractor-controlled systems, with limited waivers.
Requires the Office of Management and Budget, working with federal cybersecurity agencies, to update federal contracting rules so covered contractors must have vulnerability disclosure programs that solicit and address reports of security flaws in contractor-controlled systems used on federal contracts. The FAR Council must amend the Federal Acquisition Regulation after receiving OMB's recommendations, with both steps subject to 180-day deadlines; agency CIOs can grant limited national-security or research waivers but must notify congressional oversight committees within 30 days. The bill does not authorize new spending and must be implemented using existing funds.
Introduced May 22, 2025 by Mark R. Warner · Last progress May 22, 2025