Federal contractors would be required to implement vulnerability disclosure policies that align with National Institute of Standards and Technology guidelines under a bipartisan Senate bill introduced last week.

The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., is a companion to legislation from Rep. Nancy Mace, R-S.C., which was advanced by the House Oversight Committee in May.

The bill from Warner and Lankford on vulnerability disclosure policies (VDPs) aims to create a structure for contractors to receive reports of vulnerabilities in their products and then act against them before an attack occurs.

“VDPs are a crucial tool used to proactively identify and address software vulnerabilities,” Warner said in a statement. “This legislation will ensure that federal contractors, along with federal agencies, are adhering to national guidelines that will better protect our critical infrastructure, and sensitive data from potential attacks.”

While current federal law requires civilian agencies to have VDPs, there is no such standard for federal contractors. The bill would address that discrepancy by instituting a requirement for contractors and mandating that they accept, assess, and manage the vulnerability reports they receive.

“Federal agencies and contractors must be quickly made aware of cyber vulnerabilities, so they can resolve them,” Lankford said in a statement. “By strengthening cybersecurity efforts, contractors and agencies can keep their focus on serving the American people and keep data and systems safe from cybercrimes and hacking.”

A fact sheet accompanying the release of the bill referenced the 2015 Office of Personnel Management data breach, that was made possible by vulnerabilities in systems used by two contractors that stored data on federal employee background checks. This legislation, the fact sheet noted, would ensure that “good-faith security researchers” can reach out directly to federal contractors without having to provide additional reporting to an agency.

The bill would require the Office of Management and Budget to spearhead Federal Acquisition Regulation updates, a move intended to guarantee that contractors’ VDPs align with current federal agency requirements. The Secretary of Defense would have the same obligations for Defense Federal Acquisition Regulation Supplement contract standards.

The press release announcing the legislation included statements of support from Palo Alto Networks and HackerOne, whose chief legal and policy officer, Ilona Cohen, said the bill “addresses a critical gap” in U.S. cybersecurity.

“This proactive approach to security will ensure that businesses are actively protecting government systems, critical infrastructure, and sensitive data from exploitation by malicious actors,” she said.

The post Vulnerability disclosure policies eyed for federal contractors in Senate bill appeared first on CyberScoop.

Leave a Reply

Your email address will not be published. Required fields are marked *

Explore More

Breaking a Password Manager

June 4, 2024 0 Comments 0 tags

Interesting story of breaking the security of the RoboForm password manager in order to recover a cryptocurrency wallet password. Grand and Bruno spent months reverse engineering the version of the

Read More

After LockBit takedown, police try to sow doubt in cybercrime community

February 23, 2024 0 Comments 0 tags

After seizing the digital infrastructure of the ransomware group LockBit earlier this week, the law enforcement agencies behind that operation have carried out an unusual messaging campaign designed to create

Read More

CISA Releases Three Industrial Control Systems Advisories

March 5, 2024 0 Comments 0 tags

CISA released three Industrial Control Systems (ICS) advisories on March 5, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-065-01 Nice Linear eMerge E3-Series

Read More