S. 1899
119th CONGRESS 1st Session
To require Federal contractors to implement a vulnerability disclosure policy consistent with NIST guidelines, and for other purposes.
IN THE SENATE OF THE UNITED STATES · May 22, 2025 · Sponsor: Mr. Warner · Committee: Committee on Homeland Security and Governmental Affairs
Table of contents
SEC. 1. Short title
- This Act may be cited as the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025.
SEC. 2. Federal contractor vulnerability disclosure policy
- (a) Recommendations
- (1) In general
- Not later than 180 days after the date of the enactment of this Act, the Director of the Office of Management and Budget, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Director of the National Institute of Standards and Technology, and any other appropriate head of an Executive department, shall—
- review the Federal Acquisition Regulation (FAR) contract requirements and language for contractor vulnerability disclosure programs; and
- recommend updates to such requirements and language to the Federal Acquisition Regulation Council.
- Not later than 180 days after the date of the enactment of this Act, the Director of the Office of Management and Budget, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Director of the National Institute of Standards and Technology, and any other appropriate head of an Executive department, shall—
- (2) Contents
- The recommendations required by paragraph (1) shall include updates to such requirements designed to ensure that covered contractors implement a vulnerability disclosure policy consistent with National Institute of Standards and Technology (NIST) guidelines for contractors as required under section 5 of the IoT Cybersecurity Improvement Act of 2020 (). 15 U.S.C. 278g–3c
- (1) In general
- (b) Procurement requirements
- Not later than 180 days after the date on which the recommended contract language developed pursuant to subsection (a) is received, the Federal Acquisition Regulation Council shall review the recommended contract language and amend the FAR as necessary to incorporate requirements for covered contractors to solicit and address information about potential security vulnerabilities relating to an information system owned or controlled by the contractor that is used in performance of a Federal contract.
- (c) Elements
- The update to the FAR pursuant to subsection (b) shall—
- to the maximum extent practicable, align with the security vulnerability disclosure process and coordinated disclosure requirements relating to Federal information systems under sections 5 and 6 of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3c, 278g–3d); and
- to the maximum extent practicable, be aligned with industry best practices and Standards 29147 and 30111 of the International Standards Organization (or any successor standard) or any other appropriate, relevant, and widely used standard.
- The update to the FAR pursuant to subsection (b) shall—
- (d) Waiver
- The head of an agency may waive the security vulnerability disclosure policy requirement under subsection (b) if the agency Chief Information Officer—
- determines that the waiver is necessary in the interest of national security or research purposes; and
- not later than 30 days after granting the waiver, submits a notification and justification, including information about the duration of the waiver, to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives.
- The head of an agency may waive the security vulnerability disclosure policy requirement under subsection (b) if the agency Chief Information Officer—
- (e) Definitions
- In this section:
- The term
agencyhas the meaning given the term in section 3502 of title 44, United States Code. - The term
covered contractormeans a contractor (as defined in section 7101 of title 41, United States Code)— - The term
Executive departmenthas the meaning given that term in section 101 of title 5, United States Code. - The term
security vulnerabilityhas the meaning given that term in section 2200 of the Homeland Security Act of 2002 (). 6 U.S.C. 650 - The term
simplified acquisition thresholdhas the meaning given that term in section 134 of title 41, United States Code.
- The term
- In this section:
SEC. 3. No additional funding
- No additional funds are authorized to be appropriated for the purpose of carrying out this Act.