Sens. Mark Warner, D-Va., and James Lankford, R-Okla., on May 23 reintroduced the Federal Contractor Cybersecurity Vulnerability Reduction Act, a bill that would require Federal government contractors to implement vulnerability disclosure policies (VDPs).
The bipartisan pair of senators introduced the bill during the last Congress. The measure advanced out of the Senate Homeland Security and Governmental Affairs Committee in November but did not make it to a floor vote.
Meanwhile, Rep. Nancy Mace, R-S.C., reintroduced the House version of the bill in January, and it passed the full House in March.
“Vulnerability disclosure policies are crucial tools to help ensure that the federal government is operating using safe cybersecurity practices,” Sen. Warner said in a press release. “This legislation will ensure that companies doing business with the federal government are held to the same standards, better securing the entire supply chain and protecting our national security.”
The Federal government has long recognized VDPs as one of the most effective methods for retaining insights into security vulnerabilities. Notably, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency required Federal agencies to develop and publish VDPs for their internet-accessible systems in 2020.
However, the senators explained that there is no requirement for Federal contractors – civilian or defense – to have VDPs.
The bipartisan, bicameral bill would require OMB to oversee updates to the Federal Acquisition Regulation to ensure Federal contractors implement VDPs consistent with guidelines set by the National Institute for Standards and Technology.
“Federal agencies and contractors must be quickly made aware of cyber vulnerabilities, so they can resolve them. By strengthening cybersecurity efforts, contractors and agencies can keep their focus on serving the American people and keep data and systems safe from cybercrimes and hacking,” Sen. Lankford said.
The legislation is backed by several cybersecurity firms, including Palo Alto Networks. Bruce Byrd, executive vice president and general counsel of Palo Alto Networks, said in a statement that the bill “will benefit the entire cybersecurity ecosystem.”
“This legislation addresses a critical gap in our nation’s defenses,” added Ilona Cohen, chief legal and policy officer at HackerOne. “This common sense legislation brings the practices of federal contractors in line with those of the agencies they serve and is essential to protect the government information and personal data they process.”