House bill mandates federal contractors to implement vulnerability disclosure policies

A new bill has been introduced by House Representative Nancy Mace, a Republican from South Carolina and chairwoman of the Oversight Subcommittee on Cybersecurity, Informational Technology, and Government Innovation. The legislation requires federal contractors to implement a Vulnerability Disclosure Policy (VDP) to help them identify software vulnerabilities so they can be fixed before bad actors exploit them.

The ‘Federal Cybersecurity Vulnerability Reduction Act’ would require that federal contractors implement VDPs consistent with guidelines from the National Institute of Standards and Technology (NIST). The legislative move expands on a September 2020 requirement that all federal agencies implement VDPs and will be vital for keeping government systems and information more secure. The requirement was issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in its Binding Operational Directive 20-01, ‘Develop and Publish a Vulnerability Disclosure Policy.’ 

The security agency outlined then that a VDP is an essential element of an effective enterprise vulnerability management program and critical to the security of internet-accessible federal information systems. This directive requires each agency to develop and publish a VDP and maintain supporting handling procedures. 

“The Federal Cybersecurity Vulnerability Reduction Act will play a crucial role in safeguarding our nation’s digital infrastructure. By mandating Vulnerability Disclosure Policies (VDP) for federal contractors, we can ensure a proactive approach to cybersecurity, enabling contractors to identify and address software vulnerabilities promptly,” Congresswoman Mace said in an emailed statement. “This legislation, aligned with internationally recognized standards, empowers contractors to stay ahead of malicious actors, preventing potential exploits and protecting sensitive information.” 

She added that with the Federal Cybersecurity Vulnerability Reduction Act, “we will reinforce our commitment to a robust and resilient cyberspace, fostering trust and security in the digital age.”

While the government has embraced VDPs as ‘among the most effective methods for obtaining new insights regarding security vulnerability information’ not all contractors supporting government functions have implemented a VDP of their own. Until VDPs are required for all businesses who access government data and networks—the entire federal digital ecosystem—will always be more vulnerable. Furthermore, requiring VDPs for federal contractors is important to national and economic security.

If enacted, the Federal Cybersecurity Vulnerability Reduction Act would require all federal contractors to implement VDPs to better protect their information systems, leading to enhanced security for both the public and private sectors.

For federal contractors who have not yet implemented their own VDPs, timely identification and remediation of vulnerabilities will improve their network defenses and reduce potential cyber threats that could harm their own systems as well as federal information systems. By calling for all contractors to adopt VDPs, the legislation brings a much needed comprehensive approach to protecting federal data and systems. 

“Congresswoman Mace’s introduction of the Federal Cybersecurity Vulnerability Reduction Act fills an important gap in the security of contractors who are supporting government functions,” Ilona Cohen, chief legal and policy officer of HackerOne, said in an email message. “Engaging the security researcher community through VDPs is a proven, effective way for federal contractors to identify vulnerabilities in their systems. HackerOne stands ready to work with Congress to get this legislation passed and implemented.” 

Marten Mickos, CEO of HackerOne said that the Federal Cybersecurity Vulnerability Reduction Act will ensure federal contractors are well-prepared for an increasingly challenging threat landscape. “When federal contractors can effectively address security vulnerabilities, every U.S. citizen will be better protected against cyberattacks. HackerOne supports Congresswoman Mace’s efforts to pass this legislation and sign it into law.”

Earlier this month at the Black Hat USA 2023 conference, ​​Trend Micro announced that its Zero Day Initiative (ZDI) program published advisories addressing over 1000 unique vulnerabilities in the first half of this year, largely highlighting the company’s commitment to coordinated disclosure. The announcement highlights the potential real-world impact of weaponizing these vulnerabilities, which could result in time and financial losses exceeding ten times the cost of prevention.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.