LegisTrack
Back to all bills
S 1899119th CongressIntroduced

Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025

Introduced: May 22, 2025
Technology & Innovation
View on Congress.gov
Standard Summary
Comprehensive overview in 1-2 paragraphs

The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 would require federal contractors to have a vulnerability disclosure policy in place that aligns with NIST guidelines. The bill tasks the White House Office of Management and Budget (OMB), in coordination with CISA, the National Cyber Director, NIST, and other agency heads, to study and update Federal Acquisition Regulation (FAR) contract language within two 180-day windows. Specifically, it directs updates to require covered contractors to solicit and address information about potential security vulnerabilities in information systems used to perform federal contracts, in a manner consistent with IoT Cybersecurity Improvement Act guidance and widely recognized standards (ISO 29147 and 30111, or their successors). Agencies can waive the requirement in narrowly defined cases for national security or research purposes, with a post-waiver notification to Congress. The bill explicitly states no new funding is authorized for these changes.

Key Points

  • 1Mandated policy alignment: Covered federal contractors must implement a vulnerability disclosure policy consistent with NIST guidelines, as required by the IoT Cybersecurity Improvement Act of 2020.
  • 2Timelines for rulemaking:
  • 3- Within 180 days after enactment, OMB (in consultation with CISA, the National Cyber Director, NIST, etc.) shall propose updates to FAR contract language.
  • 4- Within 180 days after receiving the recommended language, the FAR Council shall amend the FAR to require contractors to solicit and address vulnerability information related to contractor-owned/controlled information systems used on federal contracts.
  • 5Standards alignment: Updates should align with IoT Act processes (sections 5-6) and ISO standards 29147 and 30111 (or their successors), or other widely used security-disclosure standards.
  • 6Waiver authority: Agency heads may waive the requirement if the CIO determines it is necessary for national security or research, but must notify Congress (with rationale and duration) within 30 days.
  • 7Definitions and scope: Defines “covered contractor,” “agency,” “security vulnerability,” and related terms; applies to contracts at/above the simplified acquisition threshold or contractors handling federal information systems.
  • 8No new funding: The bill does not authorize additional appropriations to carry out its provisions.

Impact Areas

Primary: Covered federal contractors (those with contracts at or above the simplified acquisition threshold or managing federal information systems on behalf of an agency) and the procurement/contracting offices that would implement and enforce the updated FAR requirements.Secondary: Federal agencies implementing the new policy, and federal cybersecurity program stakeholders (CISA, NIST, CIO councils) who coordinate vulnerability disclosure and incident response processes.Additional impacts: Could increase contractors’ security accountability and reporting burden, drive standardization around vulnerability disclosures, and influence ongoing cybersecurity risk management across government contracting. The waiver mechanism provides a narrow exception that could affect specific programs or research activities.
Generated by gpt-5-nano on Oct 3, 2025