On Thursday, U.S. Sens. Mark Warner (D-VA) and James Lankford (R-OK) introduce legislation they said will strengthen federal cybersecurity by forcing federal contractors to adhere to cybersecurity guidelines.
The legislation, the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024, would ensure contractor adhere to guidelines laid out by the National Institute of Standards and Technology (NIST), Warner, the chair of the Senate Select Committee on Intelligence, said. The legislation would also require federal contractors to have Vulnerability Disclosure Polices (VDP) which provide unsolicited reports of vulnerabilities within software to allow patches to be installed before an attack can occur.
“VDPs are a crucial tool used to proactively identify and address software vulnerabilities,” Warner said. “This legislation will ensure that federal contractors, along with federal agencies, are adhering to national guidelines that will better protect our critical infrastructure, and sensitive data from potential attacks.”
Currently, civilian federal agencies are required to have VDPs, but there is no requirement for federal contractors to have VDPs for the information systems used in their contract fulfillment. The proposed legislation would require VDPs for federal contractors and formalize the actions they would have to take in order to reduce known security vulnerabilities.
“Federal agencies and contractors must be quickly made aware of cyber vulnerabilities, so they can resolve them. By strengthening cybersecurity efforts, contractors and agencies can keep their focus on serving the American people and keep data and systems safe from cybercrimes and hacking,” Lankford said.
Companion legislation is being introduced in the House by U.S. Rep. Nancy Mace (R-SC).