HR872-119

Passed House

To require covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines, and for other purposes.

119th Congress Introduced Mar 4, 2025

Summary

What This Bill Does

The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 makes vulnerability disclosure policies part of federal contracting. Within 180 days, OMB must review Federal Acquisition Regulation contract requirements and language for contractor vulnerability disclosure programs in consultation with CISA, the National Cyber Director, NIST, and other agency heads, then recommend updates to the FAR Council. Those updates must ensure covered contractors implement policies consistent with NIST contractor guidelines under the IoT Cybersecurity Improvement Act of 2020. Within 180 days after receiving the recommended language, the FAR Council must review it and update the FAR as necessary so covered contractors can receive reports about vulnerabilities in contractor-owned or contractor-controlled information systems used to perform federal contracts. The FAR update must align where practicable with coordinated disclosure requirements for federal information systems and ISO Standards 29147 and 30111. Agency heads may waive the requirement for national security or research reasons with notice to House Oversight and Senate Homeland Security. The Defense Department must conduct a parallel DFARS review and revision, with waiver authority for the DOD Chief Information Officer in consultation with the National Manager for National Security Systems.

Who Benefits and How

Federal agencies benefit because contractors operating or supporting federal information systems would have clearer channels to receive vulnerability reports. Security researchers benefit from more standardized disclosure pathways tied to NIST and coordinated-disclosure standards. CISA, the National Cyber Director, and NIST benefit because their guidance becomes part of procurement language rather than voluntary advice. Federal contracting officers benefit from updated FAR and DFARS clauses they can apply across covered contracts. Congressional oversight committees benefit from waiver notices explaining national-security or research exceptions.

Who Bears the Burden and How

Covered federal contractors must implement vulnerability disclosure policies for qualifying contracts, including contracts at or above the simplified acquisition threshold and contracts involving federal information systems. OMB, the FAR Council, and DOD procurement officials must review, draft, and revise acquisition language on statutory timelines. Agency chief information officers and the DOD Chief Information Officer must justify waivers within 30 days when they invoke national-security or research exceptions. Defense contractors must adapt to DFARS requirements in addition to ordinary FAR changes.

Key Provisions

  • Requires OMB to review FAR vulnerability disclosure requirements within 180 days.
  • Requires OMB recommendations to ensure covered contractors implement NIST-consistent vulnerability disclosure policies.
  • Requires the FAR Council to review recommended language and update the FAR within 180 days after receiving it.
  • Requires FAR updates to align where practicable with IoT Cybersecurity Improvement Act disclosure processes and ISO 29147 and 30111.
  • Authorizes agency waivers for national-security or research reasons with congressional notification within 30 days.
  • Requires DOD to conduct a parallel DFARS review, revision, and waiver process.

Evidence Chain:

This summary is generated from the full bill text using AI analysis. Expand "Detailed Analysis" below for identified beneficiaries/burden bearers with clause-level evidence links.

At a Glance

What This Bill Does

Requires OMB, CISA, the National Cyber Director, NIST, the FAR Council, and the Defense Department to update federal procurement rules so covered contractors implement vulnerability disclosure policies aligned with NIST, IoT Cybersecurity Improvement Act, coordinated disclosure, and ISO 29147 and 30111 standards, with national-security or research waivers reported to Congress.

Key Policy Areas

Cybersecurity, Federal Procurement, Defense

Primary Purpose

Requires OMB, CISA, the National Cyber Director, NIST, the FAR Council, and the Defense Department to update federal procurement rules so covered contractors implement vulnerability disclosure policies aligned with NIST, IoT Cybersecurity Improvement Act, coordinated disclosure, and ISO 29147 and 30111 standards, with national-security or research waivers reported to Congress.

Policy Domains

Cybersecurity Federal Procurement Defense

House resolution provisions

Identified Gains
  • Federal agencies
  • Security researchers
  • CISA
  • National Cyber Director
  • NIST
  • Federal contracting officers
  • Congressional oversight committees
Model: codex-gpt-5 | Version: bill_summary_v2 | Source: rfs
CISA: ,
NIST: ,
Federal agencies: ,
Security researchers: ,
National Cyber Director: ,
Federal contracting officers: ,
Congressional oversight committees: ,
Identified Costs
  • Covered federal contractors
  • OMB procurement staff
  • Federal Acquisition Regulation Council
  • DOD procurement officials
  • Agency chief information officers
  • Defense contractors
Model: codex-gpt-5 | Version: bill_summary_v2 | Source: rfs
Defense contractors: ,
OMB procurement staff: ,
DOD procurement officials: ,
Covered federal contractors: ,
Agency chief information officers: ,
Federal Acquisition Regulation Council: ,

Legislative Progress

Passed House
Introduced Committee Passed
Mar 4, 2025

Received; read twice and referred to the Committee on Homeland …

Mar 4, 2025 (inferred)

Passed House (inferred from eh version)

Jan 31, 2025

Ms. Mace (for herself and Ms. Brown) introduced the following …

Stakeholder Effects

cui bono?

How this legislation distributes effects. Mention counts reflect frequency, not effect magnitude.

Government
12 mentions across 3 clauses
+3 positive -9 negative

Department of Defense procurement officials, Federal Acquisition Regulation Council, Federal agencies

Positive-direction: Federal agencies

Negative-direction: Department of Defense procurement officials, Federal Acquisition Regulation Council, Office of Management and Budget

Federal Contracting
3 mentions across 3 clauses
-3 negative

Covered federal contractors

Defense
3 mentions across 3 clauses
-3 negative

Defense contractors

Technology
3 mentions across 3 clauses
+3 positive

Security researchers

2/2
sections analyzed
Full impact breakdown

Bill Structure & Actor Mappings

Who is "The Secretary" in each section?

Domains
Cybersecurity Federal Procurement Defense
Actor Mappings
"omb"
→ Office of Management and Budget
"cisa"
→ Cybersecurity and Infrastructure Security Agency
"nist"
→ National Institute of Standards and Technology
"far_council"
→ Federal Acquisition Regulation Council

Key Definitions

Terms defined in this bill

1 term
"covered contractor" §2

A contractor at or above the simplified acquisition threshold or one that uses, operates, manages, or maintains a federal information system.

We use a combination of our own taxonomy and classification in addition to large language models to assess meaning and potential beneficiaries. High confidence means strong textual evidence. Always verify with the original bill text.

Learn more about our methodology