119-hr872

HR
✓ Complete Data

Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025

0 0
Login to track bills
Introduced:
Jan 31, 2025
Policy Area:
Government Operations and Politics

Bill Statistics

11
Actions
1
Cosponsors
1
Summaries
4
Subjects
3
Text Versions
Yes
Full Text

AI Summary

No AI Summary Available

Click the button above to generate an AI-powered summary of this bill using Claude.

The summary will analyze the bill's key provisions, impact, and implementation details.

Latest Action

Mar 4, 2025
Received in the Senate and Read twice and referred to the Committee on Homeland Security and Governmental Affairs.

Summaries (1)

Introduced in House - Jan 31, 2025 00
<p><strong>Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025</strong></p><p>This bill requires revisions to acquisition regulations&nbsp;related to information systems vulnerabilities&nbsp;for certain federal contractors. The revisions apply to contractors whose contract is at or above the simplified acquisition threshold ($250,000 in most cases) or that use, operate, manage, or maintain a federal information system on behalf of an agency.&nbsp;</p><p>Under the bill, the Office of Management and Budget must review the Federal Acquisition Regulation (FAR) and recommend updated contract requirements and language for contractor vulnerability disclosure programs. (Such programs establish processes for identifying, reporting, and mitigating information system vulnerabilities discovered by security researchers, software developers, and others.) The recommendations must include requirements to ensure that such contractors implement vulnerability disclosure policies consistent with guidelines from the National Institute of Standards and Technology. The Federal Acquisition Regulation Council must review these recommendations and update the FAR as necessary to incorporate requirements for such contractors to receive information about potential security vulnerabilities in contractor information systems used in performance of contract.</p><p>The Department of Defense (DOD) must conduct a similar review and update of regulations with respect to the DOD Supplement to the FAR.</p>

Actions (11)

Received in the Senate and Read twice and referred to the Committee on Homeland Security and Governmental Affairs.
Type: IntroReferral | Source: Senate
Mar 4, 2025
Motion to reconsider laid on the table Agreed to without objection.
Type: Floor | Source: House floor actions | Code: H38310
Mar 3, 2025
4:02 PM
On motion to suspend the rules and pass the bill, as amended Agreed to by voice vote. (text: CR H930-931)
Type: Floor | Source: House floor actions | Code: H37300
Mar 3, 2025
4:02 PM
Passed/agreed to in House: On motion to suspend the rules and pass the bill, as amended Agreed to by voice vote. (text: CR H930-931)
Type: Floor | Source: Library of Congress | Code: 8000
Mar 3, 2025
4:02 PM
DEBATE - The House proceeded with forty minutes of debate on H.R. 872.
Type: Floor | Source: House floor actions | Code: H8D000
Mar 3, 2025
3:51 PM
Considered under suspension of the rules. (consideration: CR H930-932)
Type: Floor | Source: House floor actions | Code: H30000
Mar 3, 2025
3:51 PM
Mr. Comer moved to suspend the rules and pass the bill, as amended.
Type: Floor | Source: House floor actions | Code: H30300
Mar 3, 2025
3:51 PM
Referred to the Committee on Oversight and Government Reform, and in addition to the Committee on Armed Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Type: IntroReferral | Source: House floor actions | Code: H11100
Jan 31, 2025
Referred to the Committee on Oversight and Government Reform, and in addition to the Committee on Armed Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Type: IntroReferral | Source: House floor actions | Code: H11100
Jan 31, 2025
Introduced in House
Type: IntroReferral | Source: Library of Congress | Code: Intro-H
Jan 31, 2025
Introduced in House
Type: IntroReferral | Source: Library of Congress | Code: 1000
Jan 31, 2025

Subjects (4)

Computer security and identity theft Government information and archives Government Operations and Politics (Policy Area) Public contracts and procurement

Cosponsors (1)

Rep. Brown, Shontel M. [D-OH-11]
(D-OH)
Jan 31, 2025

Text Versions (3)

Referred in Senate

Mar 4, 2025
PDF ↗ XML ↗

Engrossed in House

Mar 3, 2025
PDF ↗ XML ↗

Introduced in House

Jan 31, 2025
PDF ↗ XML ↗

Full Bill Text

Length: 7,237 characters Version: Referred in Senate Version Date: Mar 4, 2025 Last Updated: Nov 17, 2025 6:12 AM
[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[H.R. 872 Referred in Senate

(RFS) ]

<DOC>
119th CONGRESS
1st Session
H. R. 872

_______________________________________________________________________

IN THE SENATE OF THE UNITED STATES

March 4, 2025

Received; read twice and referred to the Committee on Homeland Security
and Governmental Affairs

_______________________________________________________________________

AN ACT

To require covered contractors implement a vulnerability disclosure
policy consistent with NIST guidelines, and for other purposes.

Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1.

This Act may be cited as the ``Federal Contractor Cybersecurity
Vulnerability Reduction Act of 2025''.
SEC. 2.

(a) Recommendations.--

(1) In general.--Not later than 180 days after the date of
the enactment of this Act, the Director of the Office of
Management and Budget, in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency, the National
Cyber Director, the Director of the National Institute of
Standards and Technology, and any other appropriate head of an
Executive department, shall--
(A) review the Federal Acquisition Regulation
contract requirements and language for contractor
vulnerability disclosure programs; and
(B) recommend updates to such requirements and
language to the Federal Acquisition Regulation Council.

(2) Contents.--The recommendations required by paragraph

(1) shall include updates to such requirements designed to
ensure that covered contractors implement a vulnerability
disclosure policy consistent with NIST guidelines for
contractors as required under
section 5 of the IoT Cybersecurity Improvement Act of 2020 (15 U.
Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3c;
Public Law 116-207).

(b) Procurement Requirements.--Not later than 180 days after the
date on which the recommended contract language developed pursuant to
subsection

(a) is received, the Federal Acquisition Regulation Council
shall review the recommended contract language and update the FAR as
necessary to incorporate requirements for covered contractors to
receive information about a potential security vulnerability relating
to an information system owned or controlled by a contractor, in
performance of the contract.
(c) Elements.--The update to the FAR pursuant to subsection

(b) shall--

(1) to the maximum extent practicable, align with the
security vulnerability disclosure process and coordinated
disclosure requirements relating to Federal information systems
under sections 5 and 6 of the IoT Cybersecurity Improvement Act
of 2020 (Public Law 116-207; 15 U.S.C. 278g-3c and 278g-3d);
and

(2) to the maximum extent practicable, be aligned with
industry best practices and Standards 29147 and 30111 of the
International Standards Organization (or any successor
standard) or any other appropriate, relevant, and widely used
standard.
(d) Waiver.--The head of an agency may waive the security
vulnerability disclosure policy requirement under subsection

(b) if--

(1) the agency Chief Information Officer determines that
the waiver is necessary in the interest of national security or
research purposes; and

(2) if, not later than 30 days after granting a waiver,
such head submits a notification and justification (including
information about the duration of the waiver) to the Committee
on Oversight and Government Reform of the House of
Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate.

(e) Department of Defense Supplement to the Federal Acquisition
Regulation.--

(1) Review.--Not later than 180 days after the date of the
enactment of this Act, the Secretary of Defense shall review
the Department of Defense Supplement to the Federal Acquisition
Regulation contract requirements and language for contractor
vulnerability disclosure programs and develop updates to such
requirements designed to ensure that covered contractors
implement a vulnerability disclosure policy consistent with
NIST guidelines for contractors as required under
section 5 of the IoT Cybersecurity Improvement Act of 2020 (15 U.
the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-
3c; Public Law 116-207).

(2) Revisions.--Not later than 180 days after the date on
which the review required under subsection

(a) is completed,
the Secretary shall revise the DFARS as necessary to
incorporate requirements for covered contractors to receive
information about a potential security vulnerability relating
to an information system owned or controlled by a contractor,
in performance of the contract.

(3) Elements.--The Secretary shall ensure that the revision
to the DFARS described in this subsection is carried out in
accordance with the requirements of paragraphs

(1) and

(2) of
subsection
(c) .

(4) Waiver.--The Chief Information Officer of the
Department of Defense, in consultation with the National
Manager for National Security Systems, may waive the security
vulnerability disclosure policy requirements under paragraph

(2) if the Chief Information Officer--
(A) determines that the waiver is necessary in the
interest of national security or research purposes; and
(B) not later than 30 days after granting a waiver,
submits a notification and justification (including
information about the duration of the waiver) to the
Committees on Armed Services of the House of
Representatives and the Senate.

(f)
=== Definitions. === -In this section: (1) The term ``agency'' has the meaning given the term in
section 3502 of title 44, United States Code.

(2) The term ``covered contractor'' means a contractor (as
defined in
section 7101 of title 41, United States Code)-- (A) whose contract is in an amount the same as or greater than the simplified acquisition threshold; or (B) that uses, operates, manages, or maintains a Federal information system (as defined by
(A) whose contract is in an amount the same as or
greater than the simplified acquisition threshold; or
(B) that uses, operates, manages, or maintains a
Federal information system (as defined by
section 11331 of title 40, United Stated Code) on behalf of an agency.
of title 40, United Stated Code) on behalf of an
agency.

(3) The term ``DFARS'' means the Department of Defense
Supplement to the Federal Acquisition Regulation.

(4) The term ``Executive department'' has the meaning given
that term in
section 101 of title 5, United States Code.

(5) The term ``FAR'' means the Federal Acquisition
Regulation.

(6) The term ``NIST'' means the National Institute of
Standards and Technology.

(7) The term ``OMB'' means the Office of Management and
Budget.

(8) The term ``security vulnerability'' has the meaning
given that term in
section 2200 of the Homeland Security Act of 2002 (6 U.
2002 (6 U.S.C. 650).

(9) The term ``simplified acquisition threshold'' has the
meaning given that term in
section 134 of title 41, United States Code.
States Code.

Passed the House of Representatives March 3, 2025.

Attest:

KEVIN F. MCCUMBER,

Clerk.
View original source ↗
Back to Bills View on Congress.gov