S. 1899: Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025

This bill, titled the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025, aims to improve cybersecurity practices among federal contractors by establishing specific requirements for vulnerability disclosure policies.

Key Provisions

• Policy Implementation: Federal contractors will be required to implement a vulnerability disclosure policy that aligns with guidelines set by the National Institute of Standards and Technology (NIST). This is to enhance the security protocols used by contractors working with federal agencies.
• Timeline for Implementation: Within 180 days from the enactment of the bill, the Director of the Office of Management and Budget (OMB), in consultation with other key cybersecurity leaders, must review existing contract requirements related to contractor vulnerability disclosure programs and suggest updates to these requirements.
• Incorporation into Federal Acquisition Regulations: The Federal Acquisition Regulation Council will need to review and, if necessary, amend the Federal Acquisition Regulation (FAR) to ensure that it includes updated requirements for contractors regarding how they should solicit and manage information about potential security vulnerabilities in the systems they use to fulfill federal contracts. This review must occur within 180 days of receiving the suggested contract language from the OMB.
• Alignment with Best Practices: Updates to the FAR should align not only with NIST guidelines but also with industry standards, specifically Standards 29147 and 30111 from the International Organization for Standardization (ISO), where applicable.
• Waiver Provisions: Agency heads can waive the vulnerability disclosure policy requirement if deemed necessary for national security or research purposes. If such a waiver is granted, the agency must notify the relevant Senate and House committees within 30 days, providing justification for the waiver.

Definitions

The bill provides specific definitions for key terms such as:

• Agency: Refers to the meaning provided in U.S. legal statutes.
• Covered Contractor: Defined as any contractor subject to the simplified acquisition threshold or any contractor that manages federal information systems.
• Security Vulnerability: Pertains to the definition in existing legislation regarding vulnerabilities within systems.

No Additional Funding

The bill does not allocate any additional funds for its implementation, suggesting that existing budgets must accommodate the required changes.

Relevant Companies

None found