Rep. Ted W. Lieu (D-CA) has introduced a measure designed to bolster government vendor cybersecurity.
The Improving Contractor Cybersecurity Act would amend the federal contracts title to require vendors seeking to conduct business with the government to maintain vulnerability disclosure policies and programs.
“I have long been a supporter of vulnerability disclosure policies and programs (VDPs) in both the federal government and private sector,” Lieu said. “They allow security researchers to find software vulnerabilities and notify owners before they can be exploited by bad actors. The Department of Homeland Security already requires federal agencies to maintain VDPs because leaders in government recognize VDPs are one of our best chances at stopping cyberattacks before they happen.”
Lieu said there is no reason government contractors should not also be asked to maintain vulnerability disclosure policies, considering the web of third-party vendors on which the government relies.
“I am pleased that the Biden administration also recognizes this need and mentioned VDPs in its recent Executive Order as one way to shore up federal cybersecurity,” Lieu said. “I am proud to introduce the Improving Contractor Cybersecurity Act and am grateful to the many security researchers, think tank experts, and members of industry who provided valuable feedback as we crafted this common-sense legislation.”
Beau Woods, Cyber Safety Innovation fellow at the Atlantic Council, said reports of cybersecurity vulnerabilities inoculate against adversaries who would use them to do harm.
“Companies with mature software development programs recognize this and accept reports from security researchers acting in good faith through coordinated vulnerability disclosure programs,” he said.