U.S. Senators Mark Warner (D-VA) and James Lankford (R-OK) have announced the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024. This bipartisan bill aims to bolster federal cybersecurity by requiring contractors to follow National Institute of Standards and Technology (NIST) guidelines. A companion bill is being introduced in the House by Rep. Nancy Mace (R-SC-01).
Currently, federal agencies must have Vulnerability Disclosure Policies (VDPs) to receive and address reports of software vulnerabilities, but there’s no such mandate for federal contractors. The proposed legislation would require contractors, both civilian and defense, to implement VDPs to manage and address security vulnerabilities.
Sen. Warner emphasized the importance of VDPs in protecting critical infrastructure and sensitive data, while Sen. Lankford stressed the need for quick awareness and resolution of cyber vulnerabilities to safeguard government systems.
Ilona Cohen, Chief Legal and Policy Officer of HackerOne, praised the bill, saying it “addresses a critical gap in our nation’s cybersecurity protections by bringing the practices of federal contractors in line with those of the agencies they serve and with guidelines issued by NIST. This proactive approach to security will ensure that businesses are actively protecting government systems, critical infrastructure, and sensitive data from exploitation by malicious actors.”
The bill directs the Office of Management and Budget (OMB) and the Secretary of Defense to ensure that federal and defense contractors update their policies to include VDPs.
This legislation builds on Sen. Warner’s extensive efforts in cybersecurity, including his work on the Internet of Things (IoT) Cybersecurity Improvement Act, signed into law in 2020, and his role in the Senate Cybersecurity Caucus.
The bill has also received support from industry leaders like Palo Alto Networks, who commend its proactive approach to federal cybersecurity.
A copy of the legislation is available here. A one-pager of the legislation is available here.