What does FEDERAL CONTRACTOR VULNERABILITY DISCLOSURE POLICY. of Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 do?

This section directs the Director of the Office of Management and Budget (OMB) to review and recommend updates to the Federal Acquisition Regulation (FAR) regarding contractor vulnerability disclosure programs. The recommendations must align with NIST guidelines and the IoT Cybersecurity Improvement Act of 2020. The FAR Council is then tasked with updating the FAR to incorporate requirements for covered contractors to receive information about potential security vulnerabilities. The updated FAR must align with industry best practices and specific ISO standards. Agency heads can waive the vulnerability disclosure policy requirement for national security or research purposes, subject to notification requirements. The Secretary of Defense must also review and update the Department of Defense Supplement to the FAR (DFARS) to align with these requirements. Definitions are provided for key terms including 'agency,' 'covered contractor,' 'DFARS,' 'FAR,' 'NIST,' 'OMB,' 'security vulnerability,' and 'simplified acquisition threshold'.

Back to bills

Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025

Q: What does Preamble of Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 do?

This bill requires covered contractors to implement a vulnerability disclosure policy. The vulnerability disclosure policy must be consistent with NIST guidelines.

Q: What does SHORT TITLE. of Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 do?

This bill is formally titled the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025.

Last updated: 3/4/2025 · Introduced: 1/31/2025

Author: Nancy Mace (R-SC)

TL;DR (AI)

This bill mandates that federal contractors establish vulnerability disclosure policies aligned with National Institute of Standards and Technology (NIST) guidelines.
The Office of Management and Budget (OMB) and the FAR Council will update the Federal Acquisition Regulation (FAR) to require contractors to receive information about security vulnerabilities.
Agency heads and the Secretary of Defense can grant waivers to the vulnerability disclosure policy requirements for national security or research purposes.

119th Congresspassed houseHR. 8800(In Committee)Official page

Verified Votes

No verified votes yet.

Community Votes

No community votes yet. Be the first!

Voting as guest · Sign in for verified votes

Other Sections

Includes provisions on preamble, short title., and 1 more.

3 sections

Click "Show details" to explore individual sections. Use the community vote above or visit All Sections to vote per section.

Read official text

Want the full experience?

Create a free account to cast verified votes on each section, get a personalized summary, and track your voting history.

Create Free Account