| 1 | 1 | | I |
|---|
| 2 | 2 | | 119THCONGRESS |
|---|
| 3 | 3 | | 1 |
|---|
| 4 | 4 | | STSESSION H. R. 1258 |
|---|
| 5 | 5 | | To amend title 41, United States Code, to require information technology |
|---|
| 6 | 6 | | contractors to maintain a vulnerability disclosure policy and program, |
|---|
| 7 | 7 | | and for other purposes. |
|---|
| 8 | 8 | | IN THE HOUSE OF REPRESENTATIVES |
|---|
| 9 | 9 | | FEBRUARY12, 2025 |
|---|
| 10 | 10 | | Mr. L |
|---|
| 11 | 11 | | IEUintroduced the following bill; which was referred to the Committee |
|---|
| 12 | 12 | | on Oversight and Government Reform |
|---|
| 13 | 13 | | A BILL |
|---|
| 14 | 14 | | To amend title 41, United States Code, to require informa- |
|---|
| 15 | 15 | | tion technology contractors to maintain a vulnerability |
|---|
| 16 | 16 | | disclosure policy and program, and for other purposes. |
|---|
| 17 | 17 | | Be it enacted by the Senate and House of Representa-1 |
|---|
| 18 | 18 | | tives of the United States of America in Congress assembled, 2 |
|---|
| 19 | 19 | | SECTION 1. SHORT TITLE. 3 |
|---|
| 20 | 20 | | This Act may be cited as the ‘‘Improving Contractor 4 |
|---|
| 21 | 21 | | Cybersecurity Act’’. 5 |
|---|
| 22 | 22 | | VerDate Sep 11 2014 22:25 Mar 10, 2025 Jkt 059200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H1258.IH H1258 |
|---|
| 23 | 23 | | kjohnson on DSK7ZCZBW3PROD with $$_JOB 2 |
|---|
| 24 | 24 | | •HR 1258 IH |
|---|
| 25 | 25 | | SEC. 2. VULNERABILITY DISCLOSURE POLICY AND PRO-1 |
|---|
| 26 | 26 | | GRAM REQUIRED FOR INFORMATION TECH-2 |
|---|
| 27 | 27 | | NOLOGY CONTRACTORS. 3 |
|---|
| 28 | 28 | | (a) A |
|---|
| 29 | 29 | | MENDMENT.—Chapter 47 of division C of sub-4 |
|---|
| 30 | 30 | | title I of title 41, United States Code, is amended by add-5 |
|---|
| 31 | 31 | | ing at the end the following new section: 6 |
|---|
| 32 | 32 | | ‘‘§ 4715. Vulnerability disclosure policy and program 7 |
|---|
| 33 | 33 | | required 8 |
|---|
| 34 | 34 | | ‘‘(a) R |
|---|
| 35 | 35 | | EQUIREMENTS FOR INFORMATION TECH-9 |
|---|
| 36 | 36 | | NOLOGYCONTRACTORS.—The head of an executive agen-10 |
|---|
| 37 | 37 | | cy may not enter into a contract for information tech-11 |
|---|
| 38 | 38 | | nology unless the contractor maintains or does the fol-12 |
|---|
| 39 | 39 | | lowing: 13 |
|---|
| 40 | 40 | | ‘‘(1) A vulnerability disclosure policy for infor-14 |
|---|
| 41 | 41 | | mation technology that— 15 |
|---|
| 42 | 42 | | ‘‘(A) includes— 16 |
|---|
| 43 | 43 | | ‘‘(i) a description of which systems 17 |
|---|
| 44 | 44 | | are in scope; 18 |
|---|
| 45 | 45 | | ‘‘(ii) the type of information tech-19 |
|---|
| 46 | 46 | | nology testing for each system that is al-20 |
|---|
| 47 | 47 | | lowed (or specifically not authorized); 21 |
|---|
| 48 | 48 | | ‘‘(iii) if a contractor includes systems 22 |
|---|
| 49 | 49 | | that host sensitive information in the vul-23 |
|---|
| 50 | 50 | | nerability disclosure policy, the contractor 24 |
|---|
| 51 | 51 | | shall determine whether to impose restric-25 |
|---|
| 52 | 52 | | tions on accessing, copying, transferring, 26 |
|---|
| 53 | 53 | | VerDate Sep 11 2014 22:25 Mar 10, 2025 Jkt 059200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H1258.IH H1258 |
|---|
| 54 | 54 | | kjohnson on DSK7ZCZBW3PROD with $$_JOB 3 |
|---|
| 55 | 55 | | •HR 1258 IH |
|---|
| 56 | 56 | | storing, using, and retaining such informa-1 |
|---|
| 57 | 57 | | tion, including by— 2 |
|---|
| 58 | 58 | | ‘‘(I) prohibiting sensitive infor-3 |
|---|
| 59 | 59 | | mation from being saved, stored, 4 |
|---|
| 60 | 60 | | transferred, or otherwise accessed 5 |
|---|
| 61 | 61 | | after initial discovery; 6 |
|---|
| 62 | 62 | | ‘‘(II) directing that sensitive in-7 |
|---|
| 63 | 63 | | formation be viewed only to the extent 8 |
|---|
| 64 | 64 | | required to identify a vulnerability 9 |
|---|
| 65 | 65 | | and that the information not be re-10 |
|---|
| 66 | 66 | | tained; or 11 |
|---|
| 67 | 67 | | ‘‘(III) limiting use of information 12 |
|---|
| 68 | 68 | | obtained from interacting with the 13 |
|---|
| 69 | 69 | | systems or services to be explored by 14 |
|---|
| 70 | 70 | | the researcher to activities directly re-15 |
|---|
| 71 | 71 | | lated to reporting security 16 |
|---|
| 72 | 72 | | vulnerabilities; 17 |
|---|
| 73 | 73 | | ‘‘(iv) a description of how an indi-18 |
|---|
| 74 | 74 | | vidual may submit a vulnerability report 19 |
|---|
| 75 | 75 | | that includes— 20 |
|---|
| 76 | 76 | | ‘‘(I) the location of where to send 21 |
|---|
| 77 | 77 | | the report, such as a web form or 22 |
|---|
| 78 | 78 | | email address; 23 |
|---|
| 79 | 79 | | ‘‘(II) a description of the type of 24 |
|---|
| 80 | 80 | | information necessary to find and 25 |
|---|
| 81 | 81 | | VerDate Sep 11 2014 22:25 Mar 10, 2025 Jkt 059200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H1258.IH H1258 |
|---|
| 82 | 82 | | kjohnson on DSK7ZCZBW3PROD with $$_JOB 4 |
|---|
| 83 | 83 | | •HR 1258 IH |
|---|
| 84 | 84 | | analyze the vulnerability (such as a 1 |
|---|
| 85 | 85 | | description, the location, and potential 2 |
|---|
| 86 | 86 | | impact of the vulnerability, the tech-3 |
|---|
| 87 | 87 | | nical information needed to reproduce 4 |
|---|
| 88 | 88 | | the vulnerability, and any proof of 5 |
|---|
| 89 | 89 | | concept); and 6 |
|---|
| 90 | 90 | | ‘‘(III) a clear statement— 7 |
|---|
| 91 | 91 | | ‘‘(aa) that any individual 8 |
|---|
| 92 | 92 | | that submits a vulnerability re-9 |
|---|
| 93 | 93 | | port may do so anonymously; and 10 |
|---|
| 94 | 94 | | ‘‘(bb) on how and whether 11 |
|---|
| 95 | 95 | | any incomplete submission is 12 |
|---|
| 96 | 96 | | evaluated; 13 |
|---|
| 97 | 97 | | ‘‘(v) a commitment from the con-14 |
|---|
| 98 | 98 | | tractor that the contractor will not pursue 15 |
|---|
| 99 | 99 | | civil action for any accidental, good faith 16 |
|---|
| 100 | 100 | | violation of the vulnerability disclosure pol-17 |
|---|
| 101 | 101 | | icy; 18 |
|---|
| 102 | 102 | | ‘‘(vi) a commitment from the con-19 |
|---|
| 103 | 103 | | tractor that if an individual acting in ac-20 |
|---|
| 104 | 104 | | cordance with the vulnerability disclosure 21 |
|---|
| 105 | 105 | | policy of the contractor is sued by a third 22 |
|---|
| 106 | 106 | | party, the contractor will inform the public 23 |
|---|
| 107 | 107 | | or the court that the individual was acting 24 |
|---|
| 108 | 108 | | VerDate Sep 11 2014 22:25 Mar 10, 2025 Jkt 059200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H1258.IH H1258 |
|---|
| 109 | 109 | | kjohnson on DSK7ZCZBW3PROD with $$_JOB 5 |
|---|
| 110 | 110 | | •HR 1258 IH |
|---|
| 111 | 111 | | in compliance with the vulnerability disclo-1 |
|---|
| 112 | 112 | | sure policy; 2 |
|---|
| 113 | 113 | | ‘‘(vii) a statement that describes the 3 |
|---|
| 114 | 114 | | time frame in which the individual that 4 |
|---|
| 115 | 115 | | submits a report, if known, will receive a 5 |
|---|
| 116 | 116 | | notification of receipt of the report and a 6 |
|---|
| 117 | 117 | | description of what steps will be taken by 7 |
|---|
| 118 | 118 | | the contractor during the remediation 8 |
|---|
| 119 | 119 | | process; and 9 |
|---|
| 120 | 120 | | ‘‘(viii) a set of guidelines that estab-10 |
|---|
| 121 | 121 | | lishes what type of activity by a researcher 11 |
|---|
| 122 | 122 | | are acceptable and unacceptable; and 12 |
|---|
| 123 | 123 | | ‘‘(B) does not— 13 |
|---|
| 124 | 124 | | ‘‘(i) require the submission of person-14 |
|---|
| 125 | 125 | | ally identifiable information of a re-15 |
|---|
| 126 | 126 | | searcher; and 16 |
|---|
| 127 | 127 | | ‘‘(ii) limit testing solely to entities ap-17 |
|---|
| 128 | 128 | | proved by the contractor but rather au-18 |
|---|
| 129 | 129 | | thorizes the public to search for and report 19 |
|---|
| 130 | 130 | | any vulnerability. 20 |
|---|
| 131 | 131 | | ‘‘(2) A description of additional procedures that 21 |
|---|
| 132 | 132 | | describe how the contractor will communicate with 22 |
|---|
| 133 | 133 | | the researcher, and how and when any communica-23 |
|---|
| 134 | 134 | | tion occurs. 24 |
|---|
| 135 | 135 | | VerDate Sep 11 2014 22:25 Mar 10, 2025 Jkt 059200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\H1258.IH H1258 |
|---|
| 136 | 136 | | kjohnson on DSK7ZCZBW3PROD with $$_JOB 6 |
|---|
| 137 | 137 | | •HR 1258 IH |
|---|
| 138 | 138 | | ‘‘(3) A description of the target timelines for 1 |
|---|
| 139 | 139 | | and tracking of the following: 2 |
|---|
| 140 | 140 | | ‘‘(A) Notification of receipt to the indi-3 |
|---|
| 141 | 141 | | vidual that submits the report, if known. 4 |
|---|
| 142 | 142 | | ‘‘(B) An initial assessment, such as deter-5 |
|---|
| 143 | 143 | | mining whether any disclosed vulnerability is 6 |
|---|
| 144 | 144 | | valid. 7 |
|---|
| 145 | 145 | | ‘‘(C) Resolution of a vulnerability, includ-8 |
|---|
| 146 | 146 | | ing notification of the outcome to the re-9 |
|---|
| 147 | 147 | | searcher. 10 |
|---|
| 148 | 148 | | ‘‘(4) A page on the website of the contractor 11 |
|---|
| 149 | 149 | | that— 12 |
|---|
| 150 | 150 | | ‘‘(A) allows for the submission of 13 |
|---|
| 151 | 151 | | vulnerabilities by anyone relating to the infor-14 |
|---|
| 152 | 152 | | mation technology; 15 |
|---|
| 153 | 153 | | ‘‘(B) lists the contact information, such as 16 |
|---|
| 154 | 154 | | a phone number or email address for an indi-17 |
|---|
| 155 | 155 | | vidual or team responsible for reviewing any 18 |
|---|
| 156 | 156 | | such submission under subparagraph (A); and 19 |
|---|
| 157 | 157 | | ‘‘(C) describes the process by which a re-20 |
|---|
| 158 | 158 | | view is conducted, including how long it will 21 |
|---|
| 159 | 159 | | take for the contractor to respond to the re-22 |
|---|
| 160 | 160 | | searcher and whether or not monetary rewards 23 |
|---|
| 161 | 161 | | will be paid to the reporter for identifying a vul-24 |
|---|
| 162 | 162 | | nerability. 25 |
|---|
| 163 | 163 | | VerDate Sep 11 2014 05:50 Mar 14, 2025 Jkt 059200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\H1258.IH H1258 |
|---|
| 164 | 164 | | kjohnson on DSK7ZCZBW3PROD with $$_JOB 7 |
|---|
| 165 | 165 | | •HR 1258 IH |
|---|
| 166 | 166 | | ‘‘(5) In the case of a discovered vulnerability 1 |
|---|
| 167 | 167 | | that the contractor is not responsible for patching, 2 |
|---|
| 168 | 168 | | the contractor shall submit the vulnerability to the 3 |
|---|
| 169 | 169 | | responsible party or direct the researcher to the ap-4 |
|---|
| 170 | 170 | | propriate party. 5 |
|---|
| 171 | 171 | | ‘‘(b) R |
|---|
| 172 | 172 | | EPORTINGREQUIREMENTS AND METRICS.— 6 |
|---|
| 173 | 173 | | Not later than 7 days after the date on which the vulner-7 |
|---|
| 174 | 174 | | ability disclosure policy described in subsection (a) is pub-8 |
|---|
| 175 | 175 | | lished, and on an ongoing basis as vulnerability reports 9 |
|---|
| 176 | 176 | | are received, an information technology contractor shall 10 |
|---|
| 177 | 177 | | report to the Cybersecurity and Infrastructure Security 11 |
|---|
| 178 | 178 | | Agency of the Department of Homeland Security the fol-12 |
|---|
| 179 | 179 | | lowing information: 13 |
|---|
| 180 | 180 | | ‘‘(1) Any valid or credible report of a not pre-14 |
|---|
| 181 | 181 | | viously known public vulnerability (including any 15 |
|---|
| 182 | 182 | | misconfiguration) on a system that uses commercial 16 |
|---|
| 183 | 183 | | software or services that affect or are likely to affect 17 |
|---|
| 184 | 184 | | other parties in government or industry once a patch 18 |
|---|
| 185 | 185 | | or viable mitigation is available. 19 |
|---|
| 186 | 186 | | ‘‘(2) Any other situation where the contractor 20 |
|---|
| 187 | 187 | | determines it would be helpful or necessary to in-21 |
|---|
| 188 | 188 | | volve the Cybersecurity and Infrastructure Security 22 |
|---|
| 189 | 189 | | Agency. 23 |
|---|
| 190 | 190 | | ‘‘(c) CISA S |
|---|
| 191 | 191 | | UBMISSION OFVULNERABILITIES.—The 24 |
|---|
| 192 | 192 | | Cybersecurity and Infrastructure Security Agency shall 25 |
|---|
| 193 | 193 | | VerDate Sep 11 2014 22:25 Mar 10, 2025 Jkt 059200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\H1258.IH H1258 |
|---|
| 194 | 194 | | kjohnson on DSK7ZCZBW3PROD with $$_JOB 8 |
|---|
| 195 | 195 | | •HR 1258 IH |
|---|
| 196 | 196 | | communicate with and submit, as necessary, 1 |
|---|
| 197 | 197 | | vulnerabilities to the MITRE Common Vulnerabilities and 2 |
|---|
| 198 | 198 | | Exposures database and the National Institute of Stand-3 |
|---|
| 199 | 199 | | ards and Technology National Vulnerability Database. 4 |
|---|
| 200 | 200 | | ‘‘(d) D |
|---|
| 201 | 201 | | EFINITIONS.—In this section: 5 |
|---|
| 202 | 202 | | ‘‘(1) E |
|---|
| 203 | 203 | | XECUTIVE AGENCY.—The term ‘executive 6 |
|---|
| 204 | 204 | | agency’ has the meaning given that term in section 7 |
|---|
| 205 | 205 | | 133. 8 |
|---|
| 206 | 206 | | ‘‘(2) R |
|---|
| 207 | 207 | | ESEARCHER.—The term ‘researcher’ 9 |
|---|
| 208 | 208 | | means the individual who submits a vulnerability re-10 |
|---|
| 209 | 209 | | port. 11 |
|---|
| 210 | 210 | | ‘‘(3) I |
|---|
| 211 | 211 | | NFORMATION TECHNOLOGY .—The term 12 |
|---|
| 212 | 212 | | ‘information technology’ has the meaning given that 13 |
|---|
| 213 | 213 | | term in section 11101 of title 40.’’. 14 |
|---|
| 214 | 214 | | (b) T |
|---|
| 215 | 215 | | ECHNICAL AND CONFORMINGAMENDMENT.— 15 |
|---|
| 216 | 216 | | The table of sections for chapter 47 of division C of sub-16 |
|---|
| 217 | 217 | | title I of title 41, United States Code, is amended by add-17 |
|---|
| 218 | 218 | | ing at the end the following new item: 18 |
|---|
| 219 | 219 | | ‘‘4715. Vulnerability disclosure policy and program required.’’. |
|---|
| 220 | 220 | | (c) APPLICABILITY.—The amendments made by this 19 |
|---|
| 221 | 221 | | section shall take effect on the date of the enactment of 20 |
|---|
| 222 | 222 | | this section and shall apply to any contract entered into 21 |
|---|
| 223 | 223 | | on or after such effective date. 22 |
|---|
| 224 | 224 | | Æ |
|---|
| 225 | 225 | | VerDate Sep 11 2014 22:25 Mar 10, 2025 Jkt 059200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6301 E:\BILLS\H1258.IH H1258 |
|---|
| 226 | 226 | | kjohnson on DSK7ZCZBW3PROD with $$_JOB |
|---|