H.R. 1258 — Improving Contractor Cybersecurity Act

This section establishes the short title of the Act as the “Improving Contractor Cybersecurity Act.”

This section establishes a new requirement that, before an executive agency may enter into a contract for information technology, the contractor must maintain a vulnerability disclosure policy and related program. As background, vulnerability disclosure policies allow security researchers to identify and report weaknesses in systems so they can be fixed before they are exploited. The policy must include: (1) a description of which systems are in scope and what testing is authorized or prohibited; (2) restrictions for systems that host sensitive information, including options to prohibit saving or transferring sensitive information after discovery, require that it be viewed only as needed to identify the vulnerability, or limit use of information to reporting the vulnerability; (3) instructions for submitting reports, including where to send them, what technical information is needed, and a statement that reports may be submitted anonymously and how incomplete submissions will be handled; (4) a commitment not to pursue civil action for accidental, good faith violations of the policy; (5) a commitment to inform the public or a court if a researcher acting under the policy is sued by a third party; (6) a description of the expected time frame for acknowledging reports and the remediation process; and (7) guidelines identifying acceptable and unacceptable researcher activity. The policy may not require researchers to provide personally identifiable information and may not limit testing only to contractor-approved entities; instead, it must allow the public to search for and report vulnerabilities. The contractor also must describe additional procedures for communicating with researchers, establish target timelines and tracking for receipt of reports, initial assessment, and resolution, and maintain a website page that allows anyone to submit vulnerabilities, lists contact information for the responsible reviewer, and explains the review process, response time, and whether monetary rewards will be paid. If the contractor discovers a vulnerability that it is not responsible for patching, it must submit the vulnerability to the responsible party or direct the researcher to the appropriate party. The section further requires the contractor to report to the Cybersecurity and Infrastructure Security Agency (CISA) not later than 7 days after publishing the policy, and on an ongoing basis as reports are received, any valid or credible report of a previously unknown public vulnerability, including a misconfiguration, on a system using commercial software or services that is likely to affect other parties in government or industry once a patch or viable mitigation is available, as well as any other situation in which the contractor determines CISA involvement is helpful or necessary. CISA must then communicate with and, as necessary, submit vulnerabilities to the MITRE Common Vulnerabilities and Exposures database and the National Institute of Standards and Technology National Vulnerability Database. The section defines “executive agency” by reference to 41 U.S.C. § 133, “researcher” as the individual submitting a vulnerability report, and “information technology” by reference to 40 U.S.C. § 11101.