I
119THCONGRESS
1
STSESSION H. R. 872
To require covered contractors implement a vulnerability disclosure policy
consistent with NIST guidelines, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
JANUARY31, 2025
Ms. M
ACE(for herself and Ms. BROWN) introduced the following bill; which
was referred to the Committee on Oversight and Government Reform,
and in addition to the Committee on Armed Services, for a period to be
subsequently determined by the Speaker, in each case for consideration
of such provisions as fall within the jurisdiction of the committee con-
cerned
A BILL
To require covered contractors implement a vulnerability dis-
closure policy consistent with NIST guidelines, and for
other purposes.
Be it enacted by the Senate and House of Representa-1
tives of the United States of America in Congress assembled, 2
SECTION 1. SHORT TITLE. 3
This Act may be cited as the ‘‘Federal Contractor 4
Cybersecurity Vulnerability Reduction Act of 2025’’. 5
SEC. 2. FEDERAL CONTRACTOR VULNERABILITY DISCLO-6
SURE POLICY. 7
(a) R
ECOMMENDATIONS .— 8
VerDate Sep 11 2014 22:57 Feb 27, 2025 Jkt 059200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H872.IH H872
ssavage on LAPJG3WLY3PROD with BILLS 2
•HR 872 IH
(1) IN GENERAL.—Not later than 180 days 1
after the date of the enactment of this Act, the Di-2
rector of the Office of Management and Budget, in 3
consultation with the Director of the Cybersecurity 4
and Infrastructure Security Agency, the National 5
Cyber Director, the Director of the National Insti-6
tute of Standards and Technology, and any other 7
appropriate head of an Executive department, 8
shall— 9
(A) review the Federal Acquisition Regula-10
tion contract requirements and language for 11
contractor vulnerability disclosure programs; 12
and 13
(B) recommend updates to such require-14
ments and language to the Federal Acquisition 15
Regulation Council. 16
(2) C
ONTENTS.—The recommendations re-17
quired by paragraph (1) shall include updates to 18
such requirements designed to ensure that covered 19
contractors implement a vulnerability disclosure pol-20
icy consistent with NIST guidelines for contractors 21
as required under section 5 of the IoT Cybersecurity 22
Improvement Act of 2020 (15 U.S.C. 278g–3c; Pub-23
lic Law 116–207). 24
VerDate Sep 11 2014 22:57 Feb 27, 2025 Jkt 059200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H872.IH H872
ssavage on LAPJG3WLY3PROD with BILLS 3
•HR 872 IH
(b) PROCUREMENTREQUIREMENTS.—Not later than 1
180 days after the date on which the recommended con-2
tract language developed pursuant to subsection (a) is re-3
ceived, the Federal Acquisition Regulation Council shall 4
review the recommended contract language and update the 5
FAR as necessary to incorporate requirements for covered 6
contractors to receive information about a potential secu-7
rity vulnerability relating to an information system owned 8
or controlled by a contractor, in performance of the con-9
tract. 10
(c) E
LEMENTS.—The update to the FAR pursuant 11
to subsection (b) shall— 12
(1) to the maximum extent practicable, align 13
with the security vulnerability disclosure process and 14
coordinated disclosure requirements relating to Fed-15
eral information systems under sections 5 and 6 of 16
the IoT Cybersecurity Improvement Act of 2020 17
(Public Law 116–207; 15 U.S.C. 278g–3c and 18
278g–3d); and 19
(2) to the maximum extent practicable, be 20
aligned with industry best practices and Standards 21
29147 and 30111 of the International Standards 22
Organization (or any successor standard) or any 23
other appropriate, relevant, and widely used stand-24
ard. 25
VerDate Sep 11 2014 22:57 Feb 27, 2025 Jkt 059200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H872.IH H872
ssavage on LAPJG3WLY3PROD with BILLS 4
•HR 872 IH
(d) WAIVER.—The head of an agency may waive the 1
security vulnerability disclosure policy requirement under 2
subsection (b) if— 3
(1) the agency Chief Information Officer deter-4
mines that the waiver is necessary in the interest of 5
national security or research purposes; and 6
(2) if, not later than 30 days after granting a 7
waiver, such head submits a notification and jus-8
tification (including information about the duration 9
of the waiver) to the Committee on Oversight and 10
Government Reform of the House of Representatives 11
and the Committee on Homeland Security and Gov-12
ernmental Affairs of the Senate. 13
(e) D
EPARTMENT OF DEFENSESUPPLEMENT TO 14
THEFEDERALACQUISITIONREGULATION.— 15
(1) R
EVIEW.—Not later than 180 days after 16
the date of the enactment of this Act, the Secretary 17
of Defense shall review the Department of Defense 18
Supplement to the Federal Acquisition Regulation 19
contract requirements and language for contractor 20
vulnerability disclosure programs and develop up-21
dates to such requirements designed to ensure that 22
covered contractors implement a vulnerability disclo-23
sure policy consistent with NIST guidelines for con-24
tractors as required under section 5 of the IoT Cy-25
VerDate Sep 11 2014 22:57 Feb 27, 2025 Jkt 059200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H872.IH H872
ssavage on LAPJG3WLY3PROD with BILLS 5
•HR 872 IH
bersecurity Improvement Act of 2020 (15 U.S.C. 1
278g–3c; Public Law 116–207). 2
(2) R
EVISIONS.—Not later than 180 days after 3
the date on which the review required under sub-4
section (a) is completed, the Secretary shall revise 5
the DFARS as necessary to incorporate require-6
ments for covered contractors to receive information 7
about a potential security vulnerability relating to an 8
information system owned or controlled by a con-9
tractor, in performance of the contract. 10
(3) E
LEMENTS.—The Secretary shall ensure 11
that the revision to the DFARS described in this 12
subsection is carried out in accordance with the re-13
quirements of paragraphs (1) and (2) of subsection 14
(c). 15
(4) W
AIVER.—The Chief Information Officer of 16
the Department of Defense may waive the security 17
vulnerability disclosure policy requirements under 18
paragraph (2) if the Chief Information Officer— 19
(A) determines that the waiver is necessary 20
in the interest of national security or research 21
purposes; and 22
(B) not later than 30 days after granting 23
a waiver, submits a notification and justifica-24
tion (including information about the duration 25
VerDate Sep 11 2014 22:57 Feb 27, 2025 Jkt 059200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\H872.IH H872
ssavage on LAPJG3WLY3PROD with BILLS 6
•HR 872 IH
of the waiver) to the Committees on Armed 1
Services of the House of Representatives and 2
the Senate. 3
(f) D
EFINITIONS.—In this section: 4
(1) The term ‘‘agency’’ has the meaning given 5
the term in section 3502 of title 44, United States 6
Code. 7
(2) The term ‘‘covered contractor’’ means a 8
contractor (as defined in section 7101 of title 41, 9
United States Code)— 10
(A) whose contract is in an amount the 11
same as or greater than the simplified acquisi-12
tion threshold; or 13
(B) that uses, operates, manages, or main-14
tains a Federal information system (as defined 15
by section 11331 of title 40, United Stated 16
Code) on behalf of an agency. 17
(3) The term ‘‘DFARS’’ means the Department 18
of Defense Supplement to the Federal Acquisition 19
Regulation. 20
(4) The term ‘‘Executive department’’ has the 21
meaning given that term in section 101 of title 5, 22
United States Code. 23
(5) The term ‘‘FAR’’ means the Federal Acqui-24
sition Regulation. 25
VerDate Sep 11 2014 22:57 Feb 27, 2025 Jkt 059200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\H872.IH H872
ssavage on LAPJG3WLY3PROD with BILLS 7
•HR 872 IH
(6) The term ‘‘NIST’’ means the National In-1
stitute of Standards and Technology. 2
(7) The term ‘‘OMB’’ means the Office of Man-3
agement and Budget. 4
(8) The term ‘‘security vulnerability’’ has the 5
meaning given that term in section 2200 of the 6
Homeland Security Act of 2002 (6 U.S.C. 650). 7
(9) The term ‘‘simplified acquisition threshold’’ 8
has the meaning given that term in section 134 of 9
title 41, United States Code. 10
Æ
VerDate Sep 11 2014 22:57 Feb 27, 2025 Jkt 059200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6301 E:\BILLS\H872.IH H872
ssavage on LAPJG3WLY3PROD with BILLS