Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Government

Bipartisan Bill to Tighten Vulnerability Disclosure Rules for Federal Contractors

The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 would require federal contractors to adhere to NIST’s vulnerability disclosure guidelines.

US senators Mark R. Warner (D-VA) and James Lankford (R-OK) over the weekend announced the introduction of a bipartisan bill seeking tighter vulnerability disclosure rules for federal contractors.

Referred to as the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024, the legislation is aimed at mitigating the impact of cyberattacks by requiring federal contractors to adhere to the vulnerability disclosure guidelines set by the National Institute of Standards and Technology (NIST).

Specifically, the bill (PDF) would require the Office of Management and Budget (OMB) to oversee updates to the Federal Acquisition Regulation (FAR) that would require federal contractors to implement vulnerability disclosure policies in line with federal agencies’ requirements.

Per the new bill, the Secretary of Defense would be required to oversee updates to the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements that would require defense contractors to implement similar policies.

Organizations that have implemented Vulnerability Disclosure Policies (VDP) provide researchers with the means to submit reports of vulnerabilities within their software products, to address them before they are exploited in attacks.

Receiving vulnerability reports, the senators argue, allows developers and service providers to become aware of issues, yet federal contractors are not required to have VDPs, albeit civilian federal agencies are.

The new legislation would require that federal contractors implement VDPs and a formal process of accepting, assessing, and managing vulnerability reports, thus reducing known security bugs.

With federal contractors implementing VDPs, security researchers would be able to report vulnerabilities directly to them, without any additional reporting to a federal agency.

Advertisement. Scroll to continue reading.

“VDPs are a crucial tool used to proactively identify and address software vulnerabilities. This legislation will ensure that federal contractors, along with federal agencies, are adhering to national guidelines that will better protect our critical infrastructure, and sensitive data from potential attacks,” Sen. Warner said.

Related: Senate Passes Bill to Protect Kids Online and Make Tech Companies Accountable for Harmful Content

Related: 225,000 More Cybersecurity Workers Needed in US: CyberSeek

Related: Attempts to Regulate AI’s Hidden Hand in Americans’ Lives Flounder in US Statehouses

Related: Why Intelligence Sharing Is Vital to Building a Robust Collective Cyber Defense Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights