US
Us Congress House Bill HB872

Us Congress 2025-2026 Regular Session

Us Congress House Bill HB872 Compare Versions

OldNewDifferences
1+I
12 119THCONGRESS
23 1
34 STSESSION H. R. 872
4-AN ACT
5+To require covered contractors implement a vulnerability disclosure policy
6+consistent with NIST guidelines, and for other purposes.
7+IN THE HOUSE OF REPRESENTATIVES
8+JANUARY31, 2025
9+Ms. M
10+ACE(for herself and Ms. BROWN) introduced the following bill; which
11+was referred to the Committee on Oversight and Government Reform,
12+and in addition to the Committee on Armed Services, for a period to be
13+subsequently determined by the Speaker, in each case for consideration
14+of such provisions as fall within the jurisdiction of the committee con-
15+cerned
16+A BILL
517 To require covered contractors implement a vulnerability dis-
618 closure policy consistent with NIST guidelines, and for
719 other purposes.
820 Be it enacted by the Senate and House of Representa-1
9-tives of the United States of America in Congress assembled, 2 2
10-•HR 872 EH
11-SECTION 1. SHORT TITLE. 1
12-This Act may be cited as the ‘‘Federal Contractor 2
13-Cybersecurity Vulnerability Reduction Act of 2025’’. 3
14-SEC. 2. FEDERAL CONTRACTOR VULNERABILITY DISCLO-4
15-SURE POLICY. 5
21+tives of the United States of America in Congress assembled, 2
22+SECTION 1. SHORT TITLE. 3
23+This Act may be cited as the ‘‘Federal Contractor 4
24+Cybersecurity Vulnerability Reduction Act of 2025’’. 5
25+SEC. 2. FEDERAL CONTRACTOR VULNERABILITY DISCLO-6
26+SURE POLICY. 7
1627 (a) R
17-ECOMMENDATIONS .— 6
18-(1) I
19-N GENERAL.—Not later than 180 days 7
20-after the date of the enactment of this Act, the Di-8
21-rector of the Office of Management and Budget, in 9
22-consultation with the Director of the Cybersecurity 10
23-and Infrastructure Security Agency, the National 11
24-Cyber Director, the Director of the National Insti-12
25-tute of Standards and Technology, and any other 13
26-appropriate head of an Executive department, 14
27-shall— 15
28-(A) review the Federal Acquisition Regula-16
29-tion contract requirements and language for 17
30-contractor vulnerability disclosure programs; 18
31-and 19
32-(B) recommend updates to such require-20
33-ments and language to the Federal Acquisition 21
34-Regulation Council. 22
28+ECOMMENDATIONS .— 8
29+VerDate Sep 11 2014 22:57 Feb 27, 2025 Jkt 059200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H872.IH H872
30+ssavage on LAPJG3WLY3PROD with BILLS 2
31+•HR 872 IH
32+(1) IN GENERAL.—Not later than 180 days 1
33+after the date of the enactment of this Act, the Di-2
34+rector of the Office of Management and Budget, in 3
35+consultation with the Director of the Cybersecurity 4
36+and Infrastructure Security Agency, the National 5
37+Cyber Director, the Director of the National Insti-6
38+tute of Standards and Technology, and any other 7
39+appropriate head of an Executive department, 8
40+shall— 9
41+(A) review the Federal Acquisition Regula-10
42+tion contract requirements and language for 11
43+contractor vulnerability disclosure programs; 12
44+and 13
45+(B) recommend updates to such require-14
46+ments and language to the Federal Acquisition 15
47+Regulation Council. 16
3548 (2) C
36-ONTENTS.—The recommendations re-23
37-quired by paragraph (1) shall include updates to 24
38-such requirements designed to ensure that covered 25
39-contractors implement a vulnerability disclosure pol-26 3
40-•HR 872 EH
41-icy consistent with NIST guidelines for contractors 1
42-as required under section 5 of the IoT Cybersecurity 2
43-Improvement Act of 2020 (15 U.S.C. 278g–3c; Pub-3
44-lic Law 116–207). 4
45-(b) P
46-ROCUREMENTREQUIREMENTS.—Not later than 5
47-180 days after the date on which the recommended con-6
48-tract language developed pursuant to subsection (a) is re-7
49-ceived, the Federal Acquisition Regulation Council shall 8
50-review the recommended contract language and update the 9
51-FAR as necessary to incorporate requirements for covered 10
52-contractors to receive information about a potential secu-11
53-rity vulnerability relating to an information system owned 12
54-or controlled by a contractor, in performance of the con-13
55-tract. 14
49+ONTENTS.—The recommendations re-17
50+quired by paragraph (1) shall include updates to 18
51+such requirements designed to ensure that covered 19
52+contractors implement a vulnerability disclosure pol-20
53+icy consistent with NIST guidelines for contractors 21
54+as required under section 5 of the IoT Cybersecurity 22
55+Improvement Act of 2020 (15 U.S.C. 278g–3c; Pub-23
56+lic Law 116–207). 24
57+VerDate Sep 11 2014 22:57 Feb 27, 2025 Jkt 059200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H872.IH H872
58+ssavage on LAPJG3WLY3PROD with BILLS 3
59+•HR 872 IH
60+(b) PROCUREMENTREQUIREMENTS.—Not later than 1
61+180 days after the date on which the recommended con-2
62+tract language developed pursuant to subsection (a) is re-3
63+ceived, the Federal Acquisition Regulation Council shall 4
64+review the recommended contract language and update the 5
65+FAR as necessary to incorporate requirements for covered 6
66+contractors to receive information about a potential secu-7
67+rity vulnerability relating to an information system owned 8
68+or controlled by a contractor, in performance of the con-9
69+tract. 10
5670 (c) E
57-LEMENTS.—The update to the FAR pursuant 15
58-to subsection (b) shall— 16
59-(1) to the maximum extent practicable, align 17
60-with the security vulnerability disclosure process and 18
61-coordinated disclosure requirements relating to Fed-19
62-eral information systems under sections 5 and 6 of 20
63-the IoT Cybersecurity Improvement Act of 2020 21
64-(Public Law 116–207; 15 U.S.C. 278g–3c and 22
65-278g–3d); and 23
66-(2) to the maximum extent practicable, be 24
67-aligned with industry best practices and Standards 25 4
68-•HR 872 EH
69-29147 and 30111 of the International Standards 1
70-Organization (or any successor standard) or any 2
71-other appropriate, relevant, and widely used stand-3
72-ard. 4
73-(d) W
74-AIVER.—The head of an agency may waive the 5
75-security vulnerability disclosure policy requirement under 6
76-subsection (b) if— 7
77-(1) the agency Chief Information Officer deter-8
78-mines that the waiver is necessary in the interest of 9
79-national security or research purposes; and 10
80-(2) if, not later than 30 days after granting a 11
81-waiver, such head submits a notification and jus-12
82-tification (including information about the duration 13
83-of the waiver) to the Committee on Oversight and 14
84-Government Reform of the House of Representatives 15
85-and the Committee on Homeland Security and Gov-16
86-ernmental Affairs of the Senate. 17
71+LEMENTS.—The update to the FAR pursuant 11
72+to subsection (b) shall— 12
73+(1) to the maximum extent practicable, align 13
74+with the security vulnerability disclosure process and 14
75+coordinated disclosure requirements relating to Fed-15
76+eral information systems under sections 5 and 6 of 16
77+the IoT Cybersecurity Improvement Act of 2020 17
78+(Public Law 116–207; 15 U.S.C. 278g–3c and 18
79+278g–3d); and 19
80+(2) to the maximum extent practicable, be 20
81+aligned with industry best practices and Standards 21
82+29147 and 30111 of the International Standards 22
83+Organization (or any successor standard) or any 23
84+other appropriate, relevant, and widely used stand-24
85+ard. 25
86+VerDate Sep 11 2014 22:57 Feb 27, 2025 Jkt 059200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H872.IH H872
87+ssavage on LAPJG3WLY3PROD with BILLS 4
88+•HR 872 IH
89+(d) WAIVER.—The head of an agency may waive the 1
90+security vulnerability disclosure policy requirement under 2
91+subsection (b) if— 3
92+(1) the agency Chief Information Officer deter-4
93+mines that the waiver is necessary in the interest of 5
94+national security or research purposes; and 6
95+(2) if, not later than 30 days after granting a 7
96+waiver, such head submits a notification and jus-8
97+tification (including information about the duration 9
98+of the waiver) to the Committee on Oversight and 10
99+Government Reform of the House of Representatives 11
100+and the Committee on Homeland Security and Gov-12
101+ernmental Affairs of the Senate. 13
87102 (e) D
88-EPARTMENT OF DEFENSESUPPLEMENT TO 18
89-THEFEDERALACQUISITIONREGULATION.— 19
103+EPARTMENT OF DEFENSESUPPLEMENT TO 14
104+THEFEDERALACQUISITIONREGULATION.— 15
90105 (1) R
91-EVIEW.—Not later than 180 days after 20
92-the date of the enactment of this Act, the Secretary 21
93-of Defense shall review the Department of Defense 22
94-Supplement to the Federal Acquisition Regulation 23
95-contract requirements and language for contractor 24
96-vulnerability disclosure programs and develop up-25 5
97-•HR 872 EH
98-dates to such requirements designed to ensure that 1
99-covered contractors implement a vulnerability disclo-2
100-sure policy consistent with NIST guidelines for con-3
101-tractors as required under section 5 of the IoT Cy-4
102-bersecurity Improvement Act of 2020 (15 U.S.C. 5
103-278g–3c; Public Law 116–207). 6
106+EVIEW.—Not later than 180 days after 16
107+the date of the enactment of this Act, the Secretary 17
108+of Defense shall review the Department of Defense 18
109+Supplement to the Federal Acquisition Regulation 19
110+contract requirements and language for contractor 20
111+vulnerability disclosure programs and develop up-21
112+dates to such requirements designed to ensure that 22
113+covered contractors implement a vulnerability disclo-23
114+sure policy consistent with NIST guidelines for con-24
115+tractors as required under section 5 of the IoT Cy-25
116+VerDate Sep 11 2014 22:57 Feb 27, 2025 Jkt 059200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H872.IH H872
117+ssavage on LAPJG3WLY3PROD with BILLS 5
118+•HR 872 IH
119+bersecurity Improvement Act of 2020 (15 U.S.C. 1
120+278g–3c; Public Law 116–207). 2
104121 (2) R
105-EVISIONS.—Not later than 180 days after 7
106-the date on which the review required under sub-8
107-section (a) is completed, the Secretary shall revise 9
108-the DFARS as necessary to incorporate require-10
109-ments for covered contractors to receive information 11
110-about a potential security vulnerability relating to an 12
111-information system owned or controlled by a con-13
112-tractor, in performance of the contract. 14
122+EVISIONS.—Not later than 180 days after 3
123+the date on which the review required under sub-4
124+section (a) is completed, the Secretary shall revise 5
125+the DFARS as necessary to incorporate require-6
126+ments for covered contractors to receive information 7
127+about a potential security vulnerability relating to an 8
128+information system owned or controlled by a con-9
129+tractor, in performance of the contract. 10
113130 (3) E
114-LEMENTS.—The Secretary shall ensure 15
115-that the revision to the DFARS described in this 16
116-subsection is carried out in accordance with the re-17
117-quirements of paragraphs (1) and (2) of subsection 18
118-(c). 19
131+LEMENTS.—The Secretary shall ensure 11
132+that the revision to the DFARS described in this 12
133+subsection is carried out in accordance with the re-13
134+quirements of paragraphs (1) and (2) of subsection 14
135+(c). 15
119136 (4) W
120-AIVER.—The Chief Information Officer of 20
121-the Department of Defense, in consultation with the 21
122-National Manager for National Security Systems, 22
123-may waive the security vulnerability disclosure policy 23
124-requirements under paragraph (2) if the Chief Infor-24
125-mation Officer— 25 6
126-•HR 872 EH
127-(A) determines that the waiver is necessary 1
128-in the interest of national security or research 2
129-purposes; and 3
130-(B) not later than 30 days after granting 4
131-a waiver, submits a notification and justifica-5
132-tion (including information about the duration 6
133-of the waiver) to the Committees on Armed 7
134-Services of the House of Representatives and 8
135-the Senate. 9
137+AIVER.—The Chief Information Officer of 16
138+the Department of Defense may waive the security 17
139+vulnerability disclosure policy requirements under 18
140+paragraph (2) if the Chief Information Officer— 19
141+(A) determines that the waiver is necessary 20
142+in the interest of national security or research 21
143+purposes; and 22
144+(B) not later than 30 days after granting 23
145+a waiver, submits a notification and justifica-24
146+tion (including information about the duration 25
147+VerDate Sep 11 2014 22:57 Feb 27, 2025 Jkt 059200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\H872.IH H872
148+ssavage on LAPJG3WLY3PROD with BILLS 6
149+•HR 872 IH
150+of the waiver) to the Committees on Armed 1
151+Services of the House of Representatives and 2
152+the Senate. 3
136153 (f) D
137-EFINITIONS.—In this section: 10
138-(1) The term ‘‘agency’’ has the meaning given 11
139-the term in section 3502 of title 44, United States 12
140-Code. 13
141-(2) The term ‘‘covered contractor’’ means a 14
142-contractor (as defined in section 7101 of title 41, 15
143-United States Code)— 16
144-(A) whose contract is in an amount the 17
145-same as or greater than the simplified acquisi-18
146-tion threshold; or 19
147-(B) that uses, operates, manages, or main-20
148-tains a Federal information system (as defined 21
149-by section 11331 of title 40, United Stated 22
150-Code) on behalf of an agency. 23 7
151-•HR 872 EH
152-(3) The term ‘‘DFARS’’ means the Department 1
153-of Defense Supplement to the Federal Acquisition 2
154-Regulation. 3
155-(4) The term ‘‘Executive department’’ has the 4
156-meaning given that term in section 101 of title 5, 5
157-United States Code. 6
158-(5) The term ‘‘FAR’’ means the Federal Acqui-7
159-sition Regulation. 8
160-(6) The term ‘‘NIST’’ means the National In-9
161-stitute of Standards and Technology. 10
162-(7) The term ‘‘OMB’’ means the Office of Man-11
163-agement and Budget. 12
164-(8) The term ‘‘security vulnerability’’ has the 13
165-meaning given that term in section 2200 of the 14
166-Homeland Security Act of 2002 (6 U.S.C. 650). 15
167-(9) The term ‘‘simplified acquisition threshold’’ 16
168-has the meaning given that term in section 134 of 17
169-title 41, United States Code. 18
170-Passed the House of Representatives March 3,
171-2025.
172-Attest:
173-Clerk. 119
174-TH
175-CONGRESS
176-1
177-ST
178-S
179-ESSION
180-
181-H. R. 872
182-AN ACT
183-To require covered contractors implement a vulner-
184-ability disclosure policy consistent with NIST
185-guidelines, and for other purposes.
154+EFINITIONS.—In this section: 4
155+(1) The term ‘‘agency’’ has the meaning given 5
156+the term in section 3502 of title 44, United States 6
157+Code. 7
158+(2) The term ‘‘covered contractor’’ means a 8
159+contractor (as defined in section 7101 of title 41, 9
160+United States Code)— 10
161+(A) whose contract is in an amount the 11
162+same as or greater than the simplified acquisi-12
163+tion threshold; or 13
164+(B) that uses, operates, manages, or main-14
165+tains a Federal information system (as defined 15
166+by section 11331 of title 40, United Stated 16
167+Code) on behalf of an agency. 17
168+(3) The term ‘‘DFARS’’ means the Department 18
169+of Defense Supplement to the Federal Acquisition 19
170+Regulation. 20
171+(4) The term ‘‘Executive department’’ has the 21
172+meaning given that term in section 101 of title 5, 22
173+United States Code. 23
174+(5) The term ‘‘FAR’’ means the Federal Acqui-24
175+sition Regulation. 25
176+VerDate Sep 11 2014 22:57 Feb 27, 2025 Jkt 059200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\H872.IH H872
177+ssavage on LAPJG3WLY3PROD with BILLS 7
178+•HR 872 IH
179+(6) The term ‘‘NIST’’ means the National In-1
180+stitute of Standards and Technology. 2
181+(7) The term ‘‘OMB’’ means the Office of Man-3
182+agement and Budget. 4
183+(8) The term ‘‘security vulnerability’’ has the 5
184+meaning given that term in section 2200 of the 6
185+Homeland Security Act of 2002 (6 U.S.C. 650). 7
186+(9) The term ‘‘simplified acquisition threshold’’ 8
187+has the meaning given that term in section 134 of 9
188+title 41, United States Code. 10
189+Æ
190+VerDate Sep 11 2014 22:57 Feb 27, 2025 Jkt 059200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6301 E:\BILLS\H872.IH H872
191+ssavage on LAPJG3WLY3PROD with BILLS