Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025
Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 would require federal contractors to have a vulnerability disclosure policy aligned with established cybersecurity guidance. Within 180 days of enactment, senior federal leadership (OMB and agency partners like CISA, the National Cyber Director, and NIST) must review contractor vulnerability disclosure requirements and propose updates to the Federal Acquisition Regulation (FAR) to ensure contractors receive information about potential security vulnerabilities affecting information systems they own or control in performance of a contract. The updates should align with IoT Cybersecurity Improvement Act guidelines (as to vulnerabilities disclosure) and internationally recognized standards (ISO 29147 and 30111). The FAR update would apply to covered contractors (those with contracts at or above the simplified acquisition threshold or those handling federal information systems on behalf of an agency). DoD has parallel responsibilities to update the DFARS and implement similar disclosure requirements. The bill also provides narrowly defined waivers for national security or research purposes, with reporting to relevant congressional committees. In short, it aims to standardize, tighten, and coordinate how vulnerabilities are disclosed and handled in federal contractor environments, increasing transparency and potentially reducing cyber risk across the federal contractor ecosystem.
Key Points
- 1Timeline and governance: Within 180 days, the Director of OMB, in consultation with CISA, the National Cyber Director, NIST, and agency heads, must review FAR contract language on vulnerability disclosure and recommend updates to the FAR Council to require a vulnerability disclosure policy for covered contractors.
- 2Alignment with standards: Updates must align with the IoT Cybersecurity Improvement Act guidelines (section 5) and, to the extent practicable, with ISO standards 29147 (vulnerability disclosure processes) and 30111 (handling of vulnerabilities) or other widely used standards.
- 3Scope of coverage: “Covered contractors” are those with contracts at or above the simplified acquisition threshold or those that use/operate/maintain a federal information system on behalf of an agency.
- 4Information sharing requirement: The updated FAR must require covered contractors to receive information about potential security vulnerabilities related to an information system owned or controlled by the contractor, in connection with contract performance.
- 5DoD implementation: DoD must review its DFARS language within 180 days and revise DFARS accordingly to require vulnerability disclosure policies consistent with the same NIST-based guidance, with separate waiver authority for DoD that includes congressional notification within 30 days.
- 6Waivers: Agency heads (and, for DoD, the CIO in consultation with the National Manager for National Security Systems) may waive the policy requirement if necessary for national security or research, but must notify specified congressional committees with justification and duration within 30 days.