Rep. Nancy Mace, R-S.C., has proposed new legislation that would expand for contractors the use of vulnerability disclosure policies, a formalized way for people to share observed or potential cybersecurity flaws with an organization.
While the Office of Management and Budget instructed federal agencies to implement VDPs back in 2020, this latest proposal, the Federal Cybersecurity Vulnerability Reduction Act, focuses on pushing federal contractors to do the same. The bill comes as there’s a growing focus being placed on securing sensitive federal information housed on contractor-owned systems through initiatives like the Pentagon’s Cybersecurity Maturity Model Certification.
The legislation orders OMB, along with the directors of the National Institute for Standards and Technology and the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, to recommend new requirements to the Federal Acquisition Regulation Council, which helps coordinate the government’s approach to procurement. Those updates, the legislation proposes, should include VDPs consistent with NIST guidelines.
The legislation also stipulates that chief information officers may waive VDP requirements if doing so is necessary in the interest of national security or research. The bill also outlines specific responsibilities for the Department of Defense.
In its 2020 memo, OMB said that VDPs “are among the most effective methods for obtaining new insights regarding security vulnerability information and provide high return on investment.” In particular, the agency noted that this approach provides protection to those who report vulnerabilities — and helps differentiate between “good faith” researchers and those using “unacceptable” methods.
Organizations often use VDPs as a starting point to launch bounty programs, in which they pay cybersecurity researchers to report vulnerabilities found in their systems. The Pentagon has employed a VDP since 2016 and hosted numerous bug bounty efforts.
“When federal contractors can effectively address security vulnerabilities, every U.S. citizen will be better protected against cyberattacks,” said Marten Mickos, the CEO of HackerOne, a cybersecurity firm supporting the legislation, in a statement shared with FedScoop.