Sponsors
The bill strengthens federal cybersecurity and clarifies protections for security researchers, improving detection and remediation of vulnerabilities, but it imposes new compliance and reporting burdens that could raise costs for contractors and taxpayers and create legal/reputational risks for vendors.
Federal employees, taxpayers, and the public will receive faster notification and patching of IT vulnerabilities in federal systems, reducing the risk of breaches and service disruptions.
Taxpayers and federal employees will benefit from increased transparency and coordination (public web pages, timelines, and CISA reporting) that should speed remediation and improve public awareness of vulnerabilities.
Security researchers and tech workers will gain clearer safe-harbor commitments, reducing fear of civil suits for good-faith vulnerability testing and encouraging responsible research.
Taxpayers, federal agencies, and small-business contractors will face higher compliance and program-maintenance costs to implement detailed disclosure and reporting programs, which could raise contract prices and increase taxpayer burden.
Tech workers and federal IT vendors will face increased administrative burden and potential operational risk from tight (7-day) reporting obligations to CISA, complicating the timing and handling of sensitive fixes.
Tech workers and contractors may incur legal or reputational risks from required public reporting and researcher-protection policies if those policies are misused or sensitive data are mishandled.
Based on analysis of 2 sections of legislative text.
Requires executive-branch IT contractors to publish vulnerability disclosure policies and report specified vulnerability reports to CISA, which will forward them to CVE/NVD as needed.
Introduced February 12, 2025 by Ted Lieu · Last progress February 12, 2025
Requires companies that provide information technology (IT) products or services to executive branch agencies to publish and maintain a vulnerability disclosure policy and program as a condition of entering into IT contracts, and to report certain vulnerability information to the Cybersecurity and Infrastructure Security Agency (CISA). The policy must specify which systems are in scope, allowed testing, how to handle sensitive data, timelines for receipt/assessment/remediation, researcher protections, public submission channels (including a web page), and referral procedures when the contractor cannot fix a problem. Contractors must notify CISA within 7 days after publishing their policy and must report to CISA ongoing, including credible reports of previously unknown public vulnerabilities in commercial-software-using systems when a patch or mitigation is available, and any other situations where CISA involvement would be helpful. CISA will forward submitted vulnerabilities to the MITRE CVE and the NIST National Vulnerability Database as appropriate. The rule takes effect on enactment and applies to contracts entered into on or after that date.