Current status is Read twice and referred to the Committee on Homeland Security and Governmental Affairs.

119th CONGRESS

1st Session

S. 1899

1. Short title
2. Federal contractor vulnerability disclosure policy
3. No additional funding

1. Short title

This Act may be cited as the "Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025".

2. Federal contractor vulnerability disclosure policy

(a) Recommendations

(1) In general - Not later than 180 days after the date of the enactment of this Act, the Director of the Office of Management and Budget, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Director of the National Institute of Standards and Technology, and any other appropriate head of an Executive department, shall—

(A) - review the Federal Acquisition Regulation (FAR) contract requirements and language for contractor vulnerability disclosure programs; and

(B) - recommend updates to such requirements and language to the Federal Acquisition Regulation Council.

(2) Contents - The recommendations required by paragraph (1) shall include updates to such requirements designed to ensure that covered contractors implement a vulnerability disclosure policy consistent with National Institute of Standards and Technology (NIST) guidelines for contractors as required under section 5 of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3c).

(b) Procurement requirements - Not later than 180 days after the date on which the recommended contract language developed pursuant to subsection (a) is received, the Federal Acquisition Regulation Council shall review the recommended contract language and amend the FAR as necessary to incorporate requirements for covered contractors to solicit and address information about potential security vulnerabilities relating to an information system owned or controlled by the contractor that is used in performance of a Federal contract.

(1) - to the maximum extent practicable, align with the security vulnerability disclosure process and coordinated disclosure requirements relating to Federal information systems under sections 5 and 6 of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3c, 278g–3d); and

(2) - to the maximum extent practicable, be aligned with industry best practices and Standards 29147 and 30111 of the International Standards Organization (or any successor standard) or any other appropriate, relevant, and widely used standard.

(d) Waiver - The head of an agency may waive the security vulnerability disclosure policy requirement under subsection (b) if the agency Chief Information Officer—

(1) - determines that the waiver is necessary in the interest of national security or research purposes; and

(2) - not later than 30 days after granting the waiver, submits a notification and justification, including information about the duration of the waiver, to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives.

(e) Definitions - In this section:

(1) Agency - The term agency has the meaning given the term in section 3502 of title 44, United States Code.

(2) Covered contractor - The term covered contractor means a contractor (as defined in section 7101 of title 41, United States Code)—

(A) - whose contract is in an amount the same as or greater than the simplified acquisition threshold; or

(B) - that uses, operates, manages, or maintains a Federal information system (as defined by section 11331 of title 40, United Stated Code) on behalf of an agency.

(3) Executive department - The term Executive department has the meaning given that term in section 101 of title 5, United States Code.

(4) Security vulnerability - The term security vulnerability has the meaning given that term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).

(5) Simplified acquisition threshold - The term simplified acquisition threshold has the meaning given that term in section 134 of title 41, United States Code.

3. No additional funding

No additional funds are authorized to be appropriated for the purpose of carrying out this Act.