H.R. 872: Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025

The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 aims to enhance the cybersecurity standards required of federal contractors, specifically regarding how they handle security vulnerabilities. Here’s a breakdown of what the bill proposes:

Implementation Timeline

The bill requires that within 180 days after it becomes law, the following actions must take place:

Review of Regulations

The Director of the Office of Management and Budget (OMB), in coordination with other cybersecurity agencies, must:

• Review the existing Federal Acquisition Regulation (FAR) contract requirements related to contractor vulnerability disclosure programs.
• Make recommendations for updating these requirements to ensure compliance with guidelines from the National Institute of Standards and Technology (NIST), particularly those outlined in the IoT Cybersecurity Improvement Act of 2020.

Procurement Requirements

Following the reviews and recommendations, the Federal Acquisition Regulation Council is tasked to:

• Incorporate updates into the FAR that require federal contractors to have processes for reporting potential security vulnerabilities regarding their information systems.

Alignment with Best Practices

The FAR updates must align with:

• The established security vulnerability disclosure process of federal information systems.
• Industry best practices and relevant international standards.

Waivers

Under certain situations, the head of an agency can waive the requirement for implementing these vulnerability disclosure policies. Two conditions for waivers are:

• The Chief Information Officer of the agency must regard it necessary for national security or research.
• A notification and justification explaining the waiver must be submitted to relevant congressional committees within 30 days of granting the waiver.

Department of Defense (DoD) Specifics

Additionally, the Secretary of Defense will conduct a review specific to the DoD’s procurement processes, aiming to ensure that the updated Defense Federal Acquisition Regulation Supplement (DFARS) aligns with the same guidelines and requirements set out for the broader federal contractor base.

• This review and any necessary revisions to the DFARS must also be completed within 180 days of the enactment of the law.

Definitions

The bill provides specific definitions, including:

• Covered Contractor: A contractor with federal contracts above a certain financial threshold or those managing federal information systems.
• Security Vulnerability: As defined by the Homeland Security Act of 2002, encompassing risks that may affect information systems.

Conclusion of Contents

In summary, this legislation aims to establish stricter guidelines for federal contractors concerning cybersecurity vulnerability reporting, with clear timelines and compliance expectations set for the relevant parties involved in federal procurement.

Relevant Companies

• BA (Boeing): As a major defense contractor, Boeing would need to adapt its vulnerability disclosure policies to comply with the new guidelines, potentially affecting contract negotiations and project timelines.
• RTX (Raytheon Technologies): Similar to Boeing, Raytheon, which engages heavily with government contracts, would need to enhance its cybersecurity measures, which might involve additional costs and process changes.
• LOCK (Lockheed Martin): As a significant player in the defense sector, Lockheed Martin would be impacted by the new disclosure requirements, necessitating updates to their cybersecurity protocols.