0
Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025
3/7/2025, 4:23 AM
Summary of Bill HR 872
The purpose of this legislation is to enhance the overall cybersecurity posture of the federal government by promoting transparency and accountability in the handling of vulnerabilities. By requiring contractors to establish a formal process for receiving and addressing reports of vulnerabilities, the bill seeks to improve the timely identification and remediation of potential security threats.
In addition to mandating the implementation of a vulnerability disclosure policy, the bill also includes provisions for the protection of individuals who report vulnerabilities in good faith. This is intended to encourage individuals to come forward with information about potential security weaknesses without fear of retaliation. Overall, Bill 119 HR 872 represents a proactive approach to strengthening cybersecurity within the federal government by promoting best practices for vulnerability management and fostering a culture of collaboration between contractors and government agencies.
Congressional Summary of HR 872
Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025
This bill requires revisions to acquisition regulations related to information systems vulnerabilities for certain federal contractors. The revisions apply to contractors whose contract is at or above the simplified acquisition threshold ($250,000 in most cases) or that use, operate, manage, or maintain a federal information system on behalf of an agency.
Under the bill, the Office of Management and Budget must review the Federal Acquisition Regulation (FAR) and recommend updated contract requirements and language for contractor vulnerability disclosure programs. (Such programs establish processes for identifying, reporting, and mitigating information system vulnerabilities discovered by security researchers, software developers, and others.) The recommendations must include requirements to ensure that such contractors implement vulnerability disclosure policies consistent with guidelines from the National Institute of Standards and Technology. The Federal Acquisition Regulation Council must review these recommendations and update the FAR as necessary to incorporate requirements for such contractors to receive information about potential security vulnerabilities in contractor information systems used in performance of contract.
The Department of Defense (DOD) must conduct a similar review and update of regulations with respect to the DOD Supplement to the FAR.
Read the Full Bill
Current Status of Bill HR 872
Bipartisan Support of Bill HR 872
Total Number of Sponsors
8Democrat Sponsors
0Republican Sponsors
8Unaffiliated Sponsors
0Total Number of Cosponsors
1Democrat Cosponsors
1Republican Cosponsors
0Unaffiliated Cosponsors
0Policy Area and Potential Impact of Bill HR 872
Primary Policy Focus
Government Operations and PoliticsAlternate Title(s) of Bill HR 872
Comments
Matheo King
11 months ago
This bill is bad for us, it make things harder for everyone. Why they do this? It not good for me.
Esmeralda Lanier
1 year ago
This bill is so dumb, like seriously? Contractors need to have a policy for vulnerabilities? What a waste of time and money. Like, who even cares about this stuff? It's just a bunch of nonsense. I can't believe they're actually making this a thing. SMH.
