U.S. Representative Nancy Mace (R-S.C.) has introduced the Federal Cybersecurity Vulnerability Reduction Act of 2023 (H.R. 7842), a bill that would require federal contractors to implement vulnerability disclosure policies (VDPs). VDPs are a way for security researchers to report vulnerabilities to organizations in a safe and confidential manner.
The proposed bill would require the Office of Management and Budget (OMB) to update the Federal Acquisition Regulation (FAR) to require federal contractors to implement VDPs that are consistent with the guidelines of the National Institute of Standards and Technology (NIST). The bill would also allow chief information officers (CIOs) to waive VDP requirements in the interest of national security or research purposes.
"By mandating Vulnerability Disclosure Policies for federal contractors, we can ensure a proactive approach to cybersecurity, enabling contractors to identify and address software vulnerabilities promptly," Rep. Mace said in a statement. "This legislation, aligned with internationally recognized standards, empowers contractors to stay ahead of malicious actors, preventing potential exploits and protecting sensitive information. With the Federal Cybersecurity Vulnerability Reduction Act, we will reinforce our commitment to a robust and resilient cyberspace, fostering trust and security in the digital age."
The bill has been referred to the House Committee on Oversight and Reform. If it is passed by the House and Senate, it would be sent to the president for his signature.
Here are some of the key provisions of the legislation:
- Requires federal contractors to implement VDPs that are consistent with NIST guidelines
- Allows CIOs to waive VDP requirements in the interest of national security or research purposes
- Requires OMB to update the FAR to reflect the new requirements
- Requires the Cybersecurity and Infrastructure Security Agency (CISA) to provide technical assistance to federal contractors in implementing VDPs
The bill has been praised by cybersecurity experts, who say that it would help to improve the security of federal information systems. However, some critics have argued that the bill could be too burdensome for small businesses.
According to Karen Painter Randall, Partner and Chair, Cybersecurity Data Privacy and Incident Response, Connell Foley LLP:
"Since the creation of bug bounties and hackathons several years ago, the Department of Defense has caught more than 40,000 vulnerabilities. In 2019, white-hat hackers detected 54 vulnerabilities in the Air Force's Amazon Web Services and Microsoft Azure which was hosting the Air Force portal. The DoD and its federal defense contractors face the same escalating cyber threats that every industry faces daily. The military must focus on the strength of its supply chain involving businesses it relies on for equipment and services. Moreover, the DoD entrusts highly sensitive and proprietary data and networks with its defense contractors.
It is more than reasonable to expect federal contractors doing business with the DoD to be proactive addressing serious software vulnerabilities and attack vectors and fully implementing Vulnerability Disclosure Policies as a condition precedent to contracting."
Chahak Mittal, Senior Cybersecurity Engineer (Governance Risk and Compliance), Universal Logistics Holdings, said:
"In my opinion, this is a crucial step towards enhancing cybersecurity measures. Mandating vulnerability disclosure policies for federal contractors aligns with global standards and empowers them to proactively address software vulnerabilities. This legislation reinforces trust and security in the digital age, which is vital for maintaining a resilient cyberspace. The bill's emphasis on following guidelines established by NIST highlights a commitment to recognized best practices."
Mittal will be presenting on "How Deep Are We in These Fakes? Addressing AI Advancements" at the SecureWorld Detroit conference on September 28.
Kip Boyle, vCISO, Cyber Risk Opportunities LLC, had this to say about the proposed bill:
"This is a reasonable change when looked at it on its own. What remains to be seen is how it will look within the larger context of the U.S. federal government's overall push for greater cybersecurity from its vendors, particularly from the small and medium-sized ones. Between federal initiatives like DFARS (where Defense Department vendors must comply with controls based on NIST SP 800-171) and the False Claims Act (a law that is being actively used to impose criminal and civil penalties for over-representing cybersecurity capabilities), costs are going up without the promise of more federal dollars."
Boyle shared two relevant episodes from his Cyber Risk Management podcast:
• What's with NIST Special Publication 800-171, Revision 3, and CMMC?
• Normalizing Greater Accountability for Cybersecurity Fraud
Boyle is teaching a PLUS Course on "Implementing the NIST Cybersecurity Framework" at all six SecureWorld conferences this fall, starting with Denver on Sept. 20 (the day after SecureWorld Denver).
In 2020, OMB directed federal agencies to use vulnerability disclosure policies. CISA also published a VDP binding operational directive and implementation guidance.
"VDPs establish processes for the identification, management, and remediation of security vulnerabilities uncovered by security researchers," OMB's memo states. "They are among the most effective methods for obtaining new insights regarding security vulnerability information and provide high return on investment. They also provide protection for those who uncover these vulnerabilities by differentiating between good-faith security research and unacceptable means of gathering security information."
