“A bill to require Federal contractors to implement a vulnerability disclosure policy consistent with NIST guidelines, and for other purposes.”
No CRS summary available for this bill.
This section directs the Director of the Office of Management and Budget (OMB), in consultation with specified officials including the Director of the National Institute of Standards and Technology (NIST), to review Federal Acquisition Regulation (FAR) requirements for contractor vulnerability disclosure programs and recommend updates to the FAR Council within 180 days of enactment to ensure covered contractors implement policies consistent with NIST guidelines under sec. 5 of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3c). It further requires the FAR Council to amend the FAR within 180 days of receiving the recommendations to mandate that covered contractors solicit and address information on potential security vulnerabilities in information systems used for federal contracts, with such updates aligning to the maximum extent practicable with secs. 5 and 6 of the IoT Cybersecurity Improvement Act (15 U.S.C. 278g–3c, 278g–3d) and industry standards such as ISO 29147 and 30111. (As background, the IoT Cybersecurity Improvement Act establishes NIST guidelines for securing Internet-of-Things devices in federal systems, including coordinated vulnerability disclosure processes.) It authorizes agency heads to waive the requirement for national security or research purposes upon Chief Information Officer determination, with notification to specified congressional committees within 30 days, and defines terms including "covered contractor" (i.e., contractors with contracts at or above the simplified acquisition threshold or managing federal information systems).