The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 would strengthen federal cybersecurity by ensuring that federal contractors adhere to guidelines set forth by the National Institute of Standards and Technology (NIST).
U.S. Sens. Mark R. Warner of Virginia, Vice Chairman of the Senate Select Committee on Intelligence, and James Lankford of Oklahoma, a member of the Senate Committee on Homeland Security & Governmental Affairs introduced the legislation today.
“Vulnerability Disclosure Policies are crucial tools to help ensure that the federal government is operating using safe cybersecurity practices. This legislation will ensure that companies doing business with the federal government are held to the same standards, better securing the entire supply chain and protecting our national security,” Warner said.
Vulnerability Disclosure Policies (VDP) provide a way for organizations to receive unsolicited reports of vulnerabilities within their software so that they can be patched before an attack happens. Receiving reports on suspected security vulnerabilities in information systems is one of the best ways for developers and services to become aware of issues.
Civilian federal agencies are required to have VDPs, however no requirement is made for federal contractors, either civilian or defense, to have VDPs for the information systems used in the fulfillment of their contracts. The legislation would require the implementation of VDPs among federal contractors and formalize actions to accept, assess and manage vulnerability disclosure reports in order to help reduce known security vulnerabilities among federal contractors.
“Federal agencies and contractors must be quickly made aware of cyber vulnerabilities, so they can resolve them. By strengthening cybersecurity efforts, contractors and agencies can keep their focus on serving the American people and keep data and systems safe from cybercrimes and hacking,” Lankford said.
The Federal Contractor Cybersecurity Vulnerability Reduction Act would:
- Require the Office of Management and Budget (OMB) to oversee updates to the Federal Acquisition Regulation (FAR) to ensure federal contractors implement a vulnerability disclosure policy consistent with what is already required by federal agencies;
- Require the Secretary of Defense to oversee updates to the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements to ensure defense contractors implement the same.
Warner and Lankford originally introduced the bipartisan legislation last year. As a leader in the cybersecurity realm, Warner has led numerous legislative efforts to protect the economic prosperity, national security and democratic institutions of the United States. He cofounded the bipartisan Senate Cybersecurity Caucus in 2016. In 2017, he authored the Internet of Things (IoT) Cybersecurity Improvement Act which was signed into law by President Donald Trump in December 2020 and requires that any IoT device purchased with federal funds meet minimum security standards. As chair of the Senate Select Committee on Intelligence, Warner co-authored legislation that was subsequently signed into law that requires companies responsible for U.S. critical infrastructure report cybersecurity incidents to the government.
“This legislation has strong bipartisan support, and will benefit the entire cybersecurity ecosystem,” said Bruce Byrd, EVP and General Counsel of Palo Alto Networks.
Ilona Cohen, chief legal and policy officer at HackerOne, said cyberattacks by foreign adversaries and criminals are on the rise and the bill addresses a critical gap in the nation’s defenses.
“This common sense legislation brings the practices of federal contractors in line with those of the agencies they serve and is essential to protect the government information and personal data they process,” Cohen said.
Support AFP
Share
Rebecca Barnabi
