Improving Contractor Cybersecurity Act
Improving Contractor Cybersecurity Act
Plain Language Summary
# Improving Contractor Cybersecurity Act - Summary **What it would do:** This bill would require federal contractors working on government IT projects to have formal systems for identifying and reporting cybersecurity vulnerabilities (security weaknesses in software or systems). When contractors discover previously unknown security flaws, they must notify the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) within seven days and provide ongoing updates. CISA would then share this information with national cybersecurity databases to help protect both government and private sector systems. **Who it affects:** Federal government agencies that hire IT contractors, and the private contractors themselves.
Any company wanting to bid on federal IT contracts would need to establish and maintain a vulnerability reporting program to qualify. **Key provision:** The main requirement is creating a formal "vulnerability disclosure policy"—essentially a documented process for security researchers and staff to report bugs they find, and a commitment to share critical vulnerabilities with federal cybersecurity authorities quickly. **Current status:** The bill (HR 1258) was introduced in the 119th Congress by Rep. Ted Lieu (D-CA) and is currently in committee, meaning it has not yet been voted on by the full House of Representatives.
CRS Official Summary
Improving Contractor Cybersecurity ActThis bill prohibits an executive agency from entering into a contract for information technology unless the contractor maintains a vulnerability disclosure policy (VDP) and program.The contractor must report to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security, within seven days after the VDP is published and on an ongoing basis as vulnerability reports are received, information regardingany valid or credible report of a not previously known public vulnerability on a system that uses commercial software or services that affect, or are likely to affect, other parties in government or industry once a patch or viable mitigation is available; andany other situation where the contractor determines it would be helpful or necessary to involve CISA.CISA must submit vulnerabilities to the MITRE Common Vulnerabilities and Exposures database and the National Institute of Standards and Technology National Vulnerability Database.
Latest Action
Referred to the House Committee on Oversight and Government Reform.