Bipartisan legislation recently introduced in the U.S. Senate would require federal contractors to adhere to National Institute of Standards and Technology guidelines.
The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 would require the Office of Management and Budget to oversee updates to the federal acquisition regulation. Federal contractors would be required to implement a vulnerability disclosure policy consistent with what is already required by federal agencies.
Vulnerability disclosure policies are a way for organizations to receive unsolicited reports of vulnerabilities in their software. The reports help reduce security threats by alerting companies to problems that need fixed. Civilian federal agencies are required to have polices but, under current law, federal contractors are not.
U.S. Sens. James Lankford (R-OK), Senate Committee on Homeland Security & Governmental Affairs member, and Mark R. Warner (D-VA), Senate Select Committee on Intelligence vice chairman, introduced the bill.
“Vulnerability Disclosure Policies are crucial tools to help ensure that the federal government is operating using safe cybersecurity practices,” Warner said. “This legislation will ensure that companies doing business with the federal government are held to the same standards, better securing the entire supply chain and protecting our national security.”
“Federal agencies and contractors must be quickly made aware of cyber vulnerabilities, so they can resolve them,” Lankford said.