Improving Contractor Cybersecurity Act
The Improving Contractor Cybersecurity Act would require information technology contractors that work on executive-branch contracts to maintain a formal vulnerability disclosure policy (VDP) and a vulnerability disclosure program. The policy must specify what systems are in scope, what kinds of testing are allowed, how sensitive information is handled, how researchers can submit vulnerability reports (including anonymity), and protections for researchers who report in good faith. Contractors would also need to provide a public-facing page with submission options, contact information, how reviews are conducted, and whether monetary rewards are offered. In addition, contractors would have to report certain vulnerability information to the Cybersecurity and Infrastructure Security Agency (CISA) within seven days of the policy’s publication and on an ongoing basis for new vulnerability reports. CISA would then share vulnerabilities with MITRE’s CVE database and the NIST National Vulnerability Database. The measure would take effect for contracts entered into after its enactment. The bill aims to improve government and industry cybersecurity by encouraging transparent vulnerability reporting, faster remediation, and better coordination with national vulnerability databases. It also provides researchers with a framework and some assurances (such as safe harbor for accidental, good-faith reports) and clarifies that the policy supports public reporting rather than restricting testing to contractors’ approved entities. The requirement would apply only to new IT contracts going forward, not existing agreements.
Key Points
- 1Requires IT contractors for executive-agency contracts to maintain a vulnerability disclosure policy and program as a condition of contracting.
- 2Policy content must include: scope of systems, allowed testing (and limits), handling of sensitive information, how to submit reports (location, required information, anonymity, evaluation of incomplete submissions), safe harbors for good-faith disclosures, post-submission communications, and acceptable researcher activities.
- 3Policy must not require researchers to submit personal information; it must not limit testing to contractor-approved entities and should authorize public vulnerability reporting.
- 4Contractors must add a public-facing webpage for vulnerability submissions, with contact information, review process details, remediation timelines, and guidance on whether monetary rewards are offered.
- 5If a discovered vulnerability is not within the contractor’s responsibility to patch, the contractor must direct the researcher to the responsible party.
- 6Annual and ongoing reporting to CISA: within seven days after the policy is published, and continuously for new vulnerability reports, including any credible not-public vulnerabilities once patches or mitigations exist and other situations where CISA involvement is beneficial.
- 7CISA to coordinate vulnerability disclosures with MITRE’s CVE database and NIST’s National Vulnerability Database (NVD).
- 8Defines key terms (executive agency, researcher, information technology) and provides an effective date that applies to contracts entered into after enactment.