US senators Mark R. Warner (D-VA) and James Lankford (R-OK) over the weekend announced the introduction of a bipartisan bill seeking tighter vulnerability disclosure rules for federal contractors.
Referred to as the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024, the legislation is aimed at mitigating the impact of cyberattacks by requiring federal contractors to adhere to the vulnerability disclosure guidelines set by the National Institute of Standards and Technology (NIST).
Specifically, the bill (PDF) would require the Office of Management and Budget (OMB) to oversee updates to the Federal Acquisition Regulation (FAR) that would require federal contractors to implement vulnerability disclosure policies in line with federal agencies’ requirements.
Per the new bill, the Secretary of Defense would be required to oversee updates to the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements that would require defense contractors to implement similar policies.
Organizations that have implemented Vulnerability Disclosure Policies (VDP) provide researchers with the means to submit reports of vulnerabilities within their software products, to address them before they are exploited in attacks.
Receiving vulnerability reports, the senators argue, allows developers and service providers to become aware of issues, yet federal contractors are not required to have VDPs, albeit civilian federal agencies are.
The new legislation would require that federal contractors implement VDPs and a formal process of accepting, assessing, and managing vulnerability reports, thus reducing known security bugs.
With federal contractors implementing VDPs, security researchers would be able to report vulnerabilities directly to them, without any additional reporting to a federal agency.
“VDPs are a crucial tool used to proactively identify and address software vulnerabilities. This legislation will ensure that federal contractors, along with federal agencies, are adhering to national guidelines that will better protect our critical infrastructure, and sensitive data from potential attacks,” Sen. Warner said.
Related: Senate Passes Bill to Protect Kids Online and Make Tech Companies Accountable for Harmful Content
Related: 225,000 More Cybersecurity Workers Needed in US: CyberSeek
Related: Attempts to Regulate AI’s Hidden Hand in Americans’ Lives Flounder in US Statehouses
Related: Why Intelligence Sharing Is Vital to Building a Robust Collective Cyber Defense Program
