The House of Representatives has passed a bill that mandates contractors working with the federal government implement vulnerability disclosure policies (VDPs) in alignment with NIST guidelines.
The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025, introduced by Chairwoman Nancy Mace (R-S.C.) and Ranking Member Shontel Brown (D-Ohio), directs the Office of Management and Budget (OMB) to work with CISA, the National Cyber Director’s Office, NIST, and other agencies.
The bill also asks the Defense Department to ensure defense contractors adopt similar policies.
The Office of Management and Budget and the Department of Defense will be required to update federal acquisition policies to reflect these changes.
The Bill outlines several steps related to updating security vulnerability disclosure requirements for government contractors:
- Recommendations (180 days): The Director of the Office of Management and Budget, in collaboration with other agencies, will review the Federal Acquisition Regulation on contractor vulnerability disclosure programs and recommend updates, ensuring they align with NIST guidelines.
- Procurement Requirements (180 days after recommendations): The FAR Council will review and update contract language based on the recommendations to ensure contractors are informed about potential security vulnerabilities in the systems they manage.
- Update Details: The updated FAR will align with the IoT Cybersecurity Improvement Act of 2020 and industry best practices.
- Waivers: Agencies can waive vulnerability disclosure requirements if the CIO determines it’s necessary for national security or research but must report the waiver to certain Congressional committees within 30 days.
- Department of Defense (DoD): Within 180 days, the Secretary of Defense will review and revise DoD-specific regulations to ensure contractors follow the same vulnerability disclosure policies as outlined above.
Contractors are Prime Targets
A matter of days before the bill passed the House, several major cybersecurity and tech companies inked a letter urging the House and Senate to approve the legislation.
“Contractors, given the vast amount of sensitive data they handle, are prime targets for cyber threats. As a result, the bill ensures all companies contracting with the federal government adhere to security best practices,” reads the letter signed by Bugcrowd, HackerOne, Microsoft, Rapid7, Trend Micro, and others.
The letter also stated: “We are encouraged by the bipartisan support this legislation has received thus far, and we urge the House to swiftly pass it, with the Senate following suit. Strengthening cybersecurity is a strategic priority for this Administration to outpace and outmaneuver our adversaries. By implementing a simple and effective approach to identifying vulnerabilities, we can stay ahead of emerging threats and better protect critical systems.”
A Mandatory Procurement Requirement
“HR 872 transforms Vulnerability Disclosure Programs (VDPs) and the reception of hacker feedback from a “nice-to-have” into a mandatory FAR/DFAR procurement requirement,” says Casey Ellis, Founder at Bugcrowd. “Building on strong VDP adoption within the US Government through initiatives such as Hack the Pentagon and various congressional and DHS/OMB directives (including BOD 20-01), HR 872 joins the IoT Cybersecurity Act as one of the few directives leveraging procurement to ensure widespread VDP implementation.
By making VDP a procurement requirement, HR 872 will accelerate the acceptance of hacker feedback within the U.S. Government and among the many contractors and vendors that support federal agencies, says Ellis.
“This legislation mandates that all companies contracting with the federal government adhere to recognized security best practices, elevating the overall standard of cybersecurity across federal supply chains. HR 872 highlights the U.S. Government’s growing recognition of the essential role hackers and security researchers play in safeguarding cyberspace, legitimizing ethical hackers—likened to “locksmiths” rather than “burglars”—in their efforts to protect critical systems,” Ellis explains. “Bugcrowd is proud to have supported the creation of this Bill and to continue to support passage of this bill through the Senate and into law, both directly and through our work with the Hacking Policy Council.”
Aligning Contractors with Industry Best Practices
“Every company building or implementing technology and services needs a Vulnerability Disclosure Program (VDP), and this is a significant milestone in aligning Contractors with industry best practices,” says Trey Ford, Chief Information Security Officer at Bugcrowd. “Ultimately, the performance of a VDP is the best external proxy indicator for the performance of a company’s security program.”
Ford says establishing a VDP is necessary to create a safe harbor for users and researchers to report security concerns in good faith – a challenge that still exists in US laws, and is of particular concern for researchers when interacting with governmental targets.
Just One Risk Dimension
Piyush Pandey, CEO at Pathlock, adds that while ensuring application vulnerability is managed effectively is important, it’s just one risk dimension and perhaps not the most important.
“Over the last five years, driven by digital modernization, unauthorized Identity-related access to critical applications at the transaction level has introduced far more risk. In fact, public company filings from 2021 to 2023 report double-digit increases in both significant deficiencies and, more importantly, material weaknesses.”
While managing vulnerabilities is required, controlling unauthorized Identity-related access to critical applications is also required to manage the most critical business risks today, Pandey says.
The Advantages of Framework-driven Operations
Ken Dunham, Cyber Threat Director at Qualys, says VDP guidelines are based on NIST SP 800-216 to help manage risk related to reporting security vulnerabilities in software and information systems owned or utilized by the Federal Government. NIST SP 800-216 defines the terminology, coordination, scope, triage, and prioritization of vulnerability information, the management of advisory information and public disclosure, and the relevant stakeholders. It also addresses how VDP offices (VDPO) are to be managed and run.
“The intended outcome of VDPO oversight and use of this framework is to increase visibility and compliance for vulnerability management in the Federal Government. This bill is focused on operational components of how vulnerability information is managed and disclosed to ensure compliance and oversight,” Dunham adds.
Framework-driven operations are more cost-effective and better at reducing risk compared to those that are not, Dunham continues. “They also increase visibility and introduce a layer of governance and management that is not possible without such a framework and iterative approach to processes and controls.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
