The US House of Representatives recently passed the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025. The bill mandates federal contractors to adopt a vulnerability disclosure policy (VDP) aligned with NIST guidelines. This policy aims to ensure contractors take appropriate cybersecurity measures and make it easier for external parties to report vulnerabilities. The bill instructs the Office of Management and Budget (OMB) to consult with various cybersecurity entities like CISA and the National Cyber Director’s office to create a standardized VDP for all federal contractors.
The bill also places particular emphasis on defense contractors, requiring them to implement similar policies to address cybersecurity risks.
The objective is to foster responsible vulnerability disclosures that enhance the security of systems handling sensitive information. The legislation aims to protect federal data and critical infrastructure by establishing a clear framework for reporting vulnerabilities and addressing them in a timely manner. It aims to promote proactive cybersecurity practices across all sectors involved in government contracting.
Ahead of the bill’s passage, several major cybersecurity and tech companies showed their support for the legislation.
Companies like HackerOne, Microsoft, and Trend Micro signed a letter urging the passage of the bill. They stressed that federal contractors, due to the sensitive data they handle, are prime targets for cyber threats. By requiring all contractors to adopt best security practices, the bill aims to reduce the risks posed by cybersecurity vulnerabilities in the federal contracting space.
Introduced in 2023 by Representative Nancy Mace and supported by Senators Mark Warner and James Lankford, the bill has taken years to progress. It was incorporated into the National Defense Authorization Act (NDAA) in 2024 and is now being reviewed by the Senate. If passed, the bill will help solidify cybersecurity policies for contractors working with the federal government. By addressing the issue of vulnerability reporting, the legislation aims to strengthen cybersecurity practices and protect critical systems from exploitation.
Reference:
