Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025
Impact
If enacted, this bill will require a review of the Federal Acquisition Regulation (FAR) to incorporate specific language and requirements related to contractor vulnerability disclosure programs. Covered contractors, those managing or operating federal information systems or contracts that meet certain thresholds, would be mandated to solicit and address information regarding potential security vulnerabilities. The bill stipulates that any amendments to the FAR must align with industry best practices and relevant standards to ensure a robust security framework for federal contracts.
Summary
SB1899, titled the 'Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025', aims to enhance cybersecurity measures among federal contractors by mandating the implementation of a vulnerability disclosure policy consistent with guidelines set forth by the National Institute of Standards and Technology (NIST). The bill seeks to formalize the process through which federal contractors can report any security vulnerabilities associated with their information systems used for government contracts. This proactive approach is intended to improve the overall security posture of federal information systems and mitigate risks related to cybersecurity threats.
Contention
Throughout discussions regarding SB1899, points of contention could arise related to compliance costs and the burden placed on contractors, particularly smaller firms that may find it challenging to meet the specified vulnerability disclosure requirements. Critics may argue that the broad definitions of covered contractors could result in unintended consequences, potentially affecting the willingness of companies to engage in government contracting. Additionally, the stipulation that contract requirements be waivable under certain circumstances raises questions about the consistency and reliability of the cybersecurity measures being proposed within the framework of federal procurement.
Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025This bill requires revisions to acquisition regulations related to information systems vulnerabilities for certain federal contractors. The revisions apply to contractors whose contract is at or above the simplified acquisition threshold ($250,000 in most cases) or that use, operate, manage, or maintain a federal information system on behalf of an agency. Under the bill, the Office of Management and Budget must review the Federal Acquisition Regulation (FAR) and recommend updated contract requirements and language for contractor vulnerability disclosure programs. (Such programs establish processes for identifying, reporting, and mitigating information system vulnerabilities discovered by security researchers, software developers, and others.) The recommendations must include requirements to ensure that such contractors implement vulnerability disclosure policies consistent with guidelines from the National Institute of Standards and Technology. The Federal Acquisition Regulation Council must review these recommendations and update the FAR as necessary to incorporate requirements for such contractors to receive information about potential security vulnerabilities in contractor information systems used in performance of contract.The Department of Defense (DOD) must conduct a similar review and update of regulations with respect to the DOD Supplement to the FAR.
State management: purchasing; awarding contracts to entities that donate or contribute to certain political candidates or committees; prohibit. Amends 1984 PA 431 (MCL 18.1101 - 18.1594) by adding sec. 264b.