Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025
Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025
Plain Language Summary
# Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 — Plain Language Summary **What the Bill Does:** This bill requires the federal government to update its rules for how private companies that work on government contracts must handle cybersecurity problems. Specifically, it directs the Office of Management and Budget to review and recommend better standards for "vulnerability disclosure programs"—these are processes that allow security researchers and developers to report computer security weaknesses they discover so they can be fixed before criminals exploit them. The bill applies to contractors working on federal contracts worth $250,000 or more, or any company that manages government computer systems. **Who It Affects:** The bill primarily affects private companies that do business with the federal government, particularly those in technology and defense sectors.
It also indirectly benefits the general public by potentially improving the security of government systems and the data they hold. Federal agencies would need to update their contracting rules to implement any new requirements. **Key Provisions and Current Status:** The main requirement is that the government establish clearer, more standardized policies for how contractors should identify and report security vulnerabilities—following guidelines from the National Institute of Standards and Technology. The bill has already passed the House of Representatives and is now awaiting consideration in the Senate.
CRS Official Summary
Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025This bill requires revisions to acquisition regulations related to information systems vulnerabilities for certain federal contractors. The revisions apply to contractors whose contract is at or above the simplified acquisition threshold ($250,000 in most cases) or that use, operate, manage, or maintain a federal information system on behalf of an agency. Under the bill, the Office of Management and Budget must review the Federal Acquisition Regulation (FAR) and recommend updated contract requirements and language for contractor vulnerability disclosure programs. (Such programs establish processes for identifying, reporting, and mitigating information system vulnerabilities discovered by security researchers, software developers, and others.) The recommendations must include requirements to ensure that such contractors implement vulnerability disclosure policies consistent with guidelines from the National Institute of Standards and Technology. The Federal Acquisition Regulation Council must review these recommendations and update the FAR as necessary to incorporate requirements for such contractors to receive information about potential security vulnerabilities in contractor information systems used in performance of contract.The Department of Defense (DOD) must conduct a similar review and update of regulations with respect to the DOD Supplement to the FAR.
Latest Action
Received in the Senate and Read twice and referred to the Committee on Homeland Security and Governmental Affairs.