WASHINGTON (VR) — U.S. Sens. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, and James Lankford (R-OK), a member of the Senate Committee on Homeland Security & Governmental Affairs, announced the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024, legislation they will introduce to strengthen federal cybersecurity by ensuring that federal contractors adhere to guidelines set forth by the National Institute of Standards and Technology (NIST). Companion legislation, introduced in the House of Representatives, is being led by Rep. Nancy Mace (R-SC-01).
Vulnerability Disclosure Policies (VDP) provide a way for organizations to receive unsolicited reports of vulnerabilities within their software so that they can be patched before an attack takes place. Receiving reports on suspected security vulnerabilities in information systems is one of the best ways for developers and services to become aware of issues. Currently, civilian federal agencies are required to have VDPs, however there is no requirement for federal contractors – civilian or defense – to have VDPs for the information systems used in the fulfillment of their contracts. This legislation would require the implementation of VDPs among federal contractors and formalize actions to accept, assess, and manage vulnerability disclosure reports in order to help reduce known security vulnerabilities among federal contractors.
“VDPs are a crucial tool used to proactively identify and address software vulnerabilities,” said Sen. Warner. “This legislation will ensure that federal contractors, along with federal agencies, are adhering to national guidelines that will better protect our critical infrastructure, and sensitive data from potential attacks.”
“Federal agencies and contractors must be quickly made aware of cyber vulnerabilities, so they can resolve them. By strengthening cybersecurity efforts, contractors and agencies can keep their focus on serving the American people and keep data and systems safe from cybercrimes and hacking,” said Sen. Lankford.
Specifically the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 would:
- Require the Office of Management and Budget (OMB) to oversee updates to the Federal Acquisition Regulation (FAR) to ensure federal contractors implement a vulnerability disclosure policy consistent with what is already required by federal agencies;
- Require the Secretary of Defense to oversee updates to the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements to ensure defense contractors implement the same.
This legislation is the latest step in Sen. Warner’s efforts to mitigate to damage of potential cybersecurity attacks. He has been a leader in the cybersecurity realm throughout his time in the Senate, crafting numerous pieces of legislation aimed at addressing these threats facing our nation. Recognizing that cybersecurity is an increasingly complex issue that affects the health, economic prosperity, national security, and democratic institutions of the United States, Sen. Warner cofounded the bipartisan Senate Cybersecurity Caucus in 2016. A year later, in 2017, he authored the Internet of Things (IoT) Cybersecurity Improvement Act. This legislation, signed into law by President Donald Trump in December 2020, requires that any IoT device purchased with federal funds meet minimum security standards. As Chairman of the Senate Select Committee on Intelligence, Sen. Warner also co-authored legislation that requires companies responsible for U.S. critical infrastructure report cybersecurity incidents to the government. This legislation was signed into law by President Joe Biden as part of the Consolidated Appropriations Act in March 2022.
“Palo Alto Networks applauds Senator Warner’s continued efforts to promote federal cyber resilience through the Federal Cybersecurity Vulnerability Reduction Act. This legislation has strong bipartisan support, and will benefit the entire cybersecurity ecosystem,” said Bruce Byrd, EVP and General Counsel of Palo Alto Networks.
“This bipartisan legislation addresses a critical gap in our nation’s cybersecurity protections by bringing the practices of federal contractors in line with those of the agencies they serve and with guidelines issued by the National Institute of Standards and Technology,” said Ilona Cohen, Chief Legal and Policy Officer of HackerOne. “This proactive approach to security will ensure that businesses are actively protecting government systems, critical infrastructure, and sensitive data from exploitation by malicious actors. We applaud Senators Warner and Lankford for their leadership on this important issue.”