119THCONGRESS
1
STSESSION H. R. 872
AN ACT
To require covered contractors implement a vulnerability dis-
closure policy consistent with NIST guidelines, and for
other purposes.
Be it enacted by the Senate and House of Representa-1
tives of the United States of America in Congress assembled, 2 2
•HR 872 EH
SECTION 1. SHORT TITLE. 1
This Act may be cited as the ‘‘Federal Contractor 2
Cybersecurity Vulnerability Reduction Act of 2025’’. 3
SEC. 2. FEDERAL CONTRACTOR VULNERABILITY DISCLO-4
SURE POLICY. 5
(a) R
ECOMMENDATIONS .— 6
(1) I
N GENERAL.—Not later than 180 days 7
after the date of the enactment of this Act, the Di-8
rector of the Office of Management and Budget, in 9
consultation with the Director of the Cybersecurity 10
and Infrastructure Security Agency, the National 11
Cyber Director, the Director of the National Insti-12
tute of Standards and Technology, and any other 13
appropriate head of an Executive department, 14
shall— 15
(A) review the Federal Acquisition Regula-16
tion contract requirements and language for 17
contractor vulnerability disclosure programs; 18
and 19
(B) recommend updates to such require-20
ments and language to the Federal Acquisition 21
Regulation Council. 22
(2) C
ONTENTS.—The recommendations re-23
quired by paragraph (1) shall include updates to 24
such requirements designed to ensure that covered 25
contractors implement a vulnerability disclosure pol-26 3
•HR 872 EH
icy consistent with NIST guidelines for contractors 1
as required under section 5 of the IoT Cybersecurity 2
Improvement Act of 2020 (15 U.S.C. 278g–3c; Pub-3
lic Law 116–207). 4
(b) P
ROCUREMENTREQUIREMENTS.—Not later than 5
180 days after the date on which the recommended con-6
tract language developed pursuant to subsection (a) is re-7
ceived, the Federal Acquisition Regulation Council shall 8
review the recommended contract language and update the 9
FAR as necessary to incorporate requirements for covered 10
contractors to receive information about a potential secu-11
rity vulnerability relating to an information system owned 12
or controlled by a contractor, in performance of the con-13
tract. 14
(c) E
LEMENTS.—The update to the FAR pursuant 15
to subsection (b) shall— 16
(1) to the maximum extent practicable, align 17
with the security vulnerability disclosure process and 18
coordinated disclosure requirements relating to Fed-19
eral information systems under sections 5 and 6 of 20
the IoT Cybersecurity Improvement Act of 2020 21
(Public Law 116–207; 15 U.S.C. 278g–3c and 22
278g–3d); and 23
(2) to the maximum extent practicable, be 24
aligned with industry best practices and Standards 25 4
•HR 872 EH
29147 and 30111 of the International Standards 1
Organization (or any successor standard) or any 2
other appropriate, relevant, and widely used stand-3
ard. 4
(d) W
AIVER.—The head of an agency may waive the 5
security vulnerability disclosure policy requirement under 6
subsection (b) if— 7
(1) the agency Chief Information Officer deter-8
mines that the waiver is necessary in the interest of 9
national security or research purposes; and 10
(2) if, not later than 30 days after granting a 11
waiver, such head submits a notification and jus-12
tification (including information about the duration 13
of the waiver) to the Committee on Oversight and 14
Government Reform of the House of Representatives 15
and the Committee on Homeland Security and Gov-16
ernmental Affairs of the Senate. 17
(e) D
EPARTMENT OF DEFENSESUPPLEMENT TO 18
THEFEDERALACQUISITIONREGULATION.— 19
(1) R
EVIEW.—Not later than 180 days after 20
the date of the enactment of this Act, the Secretary 21
of Defense shall review the Department of Defense 22
Supplement to the Federal Acquisition Regulation 23
contract requirements and language for contractor 24
vulnerability disclosure programs and develop up-25 5
•HR 872 EH
dates to such requirements designed to ensure that 1
covered contractors implement a vulnerability disclo-2
sure policy consistent with NIST guidelines for con-3
tractors as required under section 5 of the IoT Cy-4
bersecurity Improvement Act of 2020 (15 U.S.C. 5
278g–3c; Public Law 116–207). 6
(2) R
EVISIONS.—Not later than 180 days after 7
the date on which the review required under sub-8
section (a) is completed, the Secretary shall revise 9
the DFARS as necessary to incorporate require-10
ments for covered contractors to receive information 11
about a potential security vulnerability relating to an 12
information system owned or controlled by a con-13
tractor, in performance of the contract. 14
(3) E
LEMENTS.—The Secretary shall ensure 15
that the revision to the DFARS described in this 16
subsection is carried out in accordance with the re-17
quirements of paragraphs (1) and (2) of subsection 18
(c). 19
(4) W
AIVER.—The Chief Information Officer of 20
the Department of Defense, in consultation with the 21
National Manager for National Security Systems, 22
may waive the security vulnerability disclosure policy 23
requirements under paragraph (2) if the Chief Infor-24
mation Officer— 25 6
•HR 872 EH
(A) determines that the waiver is necessary 1
in the interest of national security or research 2
purposes; and 3
(B) not later than 30 days after granting 4
a waiver, submits a notification and justifica-5
tion (including information about the duration 6
of the waiver) to the Committees on Armed 7
Services of the House of Representatives and 8
the Senate. 9
(f) D
EFINITIONS.—In this section: 10
(1) The term ‘‘agency’’ has the meaning given 11
the term in section 3502 of title 44, United States 12
Code. 13
(2) The term ‘‘covered contractor’’ means a 14
contractor (as defined in section 7101 of title 41, 15
United States Code)— 16
(A) whose contract is in an amount the 17
same as or greater than the simplified acquisi-18
tion threshold; or 19
(B) that uses, operates, manages, or main-20
tains a Federal information system (as defined 21
by section 11331 of title 40, United Stated 22
Code) on behalf of an agency. 23 7
•HR 872 EH
(3) The term ‘‘DFARS’’ means the Department 1
of Defense Supplement to the Federal Acquisition 2
Regulation. 3
(4) The term ‘‘Executive department’’ has the 4
meaning given that term in section 101 of title 5, 5
United States Code. 6
(5) The term ‘‘FAR’’ means the Federal Acqui-7
sition Regulation. 8
(6) The term ‘‘NIST’’ means the National In-9
stitute of Standards and Technology. 10
(7) The term ‘‘OMB’’ means the Office of Man-11
agement and Budget. 12
(8) The term ‘‘security vulnerability’’ has the 13
meaning given that term in section 2200 of the 14
Homeland Security Act of 2002 (6 U.S.C. 650). 15
(9) The term ‘‘simplified acquisition threshold’’ 16
has the meaning given that term in section 134 of 17
title 41, United States Code. 18
Passed the House of Representatives March 3,
2025.
Attest:
Clerk. 119
TH
CONGRESS
1
ST
S
ESSION
H. R. 872
AN ACT
To require covered contractors implement a vulner-
ability disclosure policy consistent with NIST
guidelines, and for other purposes.