H.R. 872 — Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025

This section directs the Director of the Office of Management and Budget (OMB), in consultation with specified officials including the Director of the National Institute of Standards and Technology (NIST), to review, within 180 days of enactment, Federal Acquisition Regulation (FAR) requirements for contractor vulnerability disclosure programs and recommend updates to the FAR Council to require covered contractors to implement policies consistent with NIST guidelines under sec. 5 of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3c). (The IoT Cybersecurity Improvement Act directs NIST to develop cybersecurity guidelines for Internet-of-Things devices procured by the federal government, including processes for disclosing security vulnerabilities in such devices.) Within 180 days after receiving the recommendations, the FAR Council must update the FAR to require covered contractors to receive information on potential security vulnerabilities in contractor-owned or -controlled information systems used in contract performance, aligned to the maximum extent practicable with secs. 5 and 6 of the IoT Act and industry standards such as ISO 29147 and 30111; agency heads may waive these requirements for national security or research purposes with congressional notification. This section further directs the Secretary of Defense to review and revise, on parallel 180-day timelines, the Department of Defense Supplement to the FAR (DFARS) with comparable requirements, elements, and waiver authority for the DoD Chief Information Officer. It defines key terms including "covered contractor" (generally, contractors with awards at or above the simplified acquisition threshold or managing federal information systems), "FAR," "DFARS," and "security vulnerability."