Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025
- Bill Number
- H.R. 872
- Origin Chamber
- House
- Congress
- 119th Congress, Session 1
- Policy Area
- Government Operations and Politics
- Status
- Passed House
- Latest Action
- 2025-03-04: Received in the Senate and Read twice and referred to the Committee on Homeland Security and Governmental Affairs.
- Last Updated
- 2026-06-23T17:01:35Z
AI-Generated Summary
Purpose
The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 aims to improve cybersecurity for federal government systems by requiring certain federal contractors to adopt policies for reporting and handling potential security weaknesses (known as vulnerabilities) in their information systems. This helps ensure timely disclosure and mitigation of risks, building on existing cybersecurity laws to protect government operations from cyber threats.
Key Provisions
- Recommendations and Updates to Federal Acquisition Regulation (FAR): Within 180 days of the bill's enactment, the Director of the Office of Management and Budget (OMB), in consultation with key cybersecurity leaders (e.g., from the Cybersecurity and Infrastructure Security Agency (CISA), National Institute of Standards and Technology (NIST), and others), must review and recommend changes to FAR contract language. These updates require "covered contractors" (defined below) to implement vulnerability disclosure policies aligned with NIST guidelines, similar to those in the IoT Cybersecurity Improvement Act of 2020 (which sets standards for securing internet-connected devices used by the government).
- Implementation Timeline: The FAR Council must review these recommendations and update the FAR within another 180 days to mandate that contractors accept and process reports of potential vulnerabilities in systems they own or control under federal contracts.
- Alignment with Standards: The updates must, where possible, match federal vulnerability disclosure processes from the 2020 IoT Act and follow industry best practices, including International Organization for Standardization (ISO) standards like ISO 29147 (for vulnerability disclosure) and ISO 30111 (for vulnerability handling), or similar widely accepted standards.
- Waivers: Agency heads can waive these requirements if the agency's Chief Information Officer deems it necessary for national security or research reasons. Waivers require notification and justification to congressional committees (House Oversight and Government Reform, Senate Homeland Security and Governmental Affairs) within 30 days, including the waiver's duration.
- Department of Defense (DoD) Specifics: The DoD Secretary must follow a parallel process for the Defense FAR Supplement (DFARS), reviewing and updating it within similar timelines to apply the same requirements to DoD contractors. Waivers for DoD follow a comparable process, with notifications to the House and Senate Armed Services Committees, in consultation with the National Manager for National Security Systems.
- Definitions:
- Covered contractor: A federal contractor with contracts at or above the "simplified acquisition threshold" (a dollar amount set by law, currently around $250,000, below which procurement rules are simpler) or one that uses, operates, manages, or maintains federal information systems on behalf of an agency.
- Other terms include standard definitions for "agency," "security vulnerability" (a flaw that could be exploited by cyber threats), and references to FAR, DFARS, NIST, and OMB.
Significant Changes to Existing Law
- This act expands the IoT Cybersecurity Improvement Act of 2020 by extending its NIST-based vulnerability disclosure requirements beyond internet-of-things (IoT) devices to all relevant federal contractor information systems.
- It introduces mandatory contract language in the FAR and DFARS specifically for vulnerability reporting, which was not previously required across all covered contracts. Prior laws focused more on general cybersecurity standards rather than coordinated disclosure processes.
- Adds waiver mechanisms with congressional oversight, creating a balance between security mandates and flexibility for sensitive cases, which builds on but formalizes existing agency discretion.
Potential Impacts
- Government Agencies: Agencies like OMB, CISA, NIST, and DoD will face new administrative duties for reviews, updates, and waiver reporting, potentially increasing workload but enhancing overall cybersecurity resilience for federal systems (e.g., reducing risks of data breaches or disruptions).
- Citizens: Indirect benefits through stronger protection of government services and data (e.g., fewer cyber incidents affecting public programs like benefits or tax systems), though no direct citizen-facing changes.
- International Relations: Minimal direct impact, but alignment with global standards like ISO could facilitate better coordination with international partners on cybersecurity, potentially aiding U.S. efforts in global cyber threat sharing without altering foreign policy.
- Broader effects include possible cost increases for contract compliance, but improved vulnerability handling could prevent expensive cyber incidents for the government and contractors.
Main Stakeholders Affected
- Covered Contractors: Primary group, including large and small businesses with federal contracts above the simplified acquisition threshold or managing federal systems; they must adopt and maintain disclosure policies, potentially increasing compliance costs but also gaining from standardized practices.
- Federal Agencies and DoD: Responsible for implementing updates, granting waivers, and ensuring contract compliance; benefits from reduced cyber risks but adds oversight burdens.
- Cybersecurity Entities: OMB, CISA, NIST, and the National Cyber Director lead reviews and provide expertise, reinforcing their roles in federal cybersecurity.
- Congressional Committees: House Oversight and Government Reform, Senate Homeland Security and Governmental Affairs, and Armed Services Committees receive waiver notifications, enabling legislative oversight.
- Industry: Benefits from alignment with best practices, potentially standardizing vulnerability reporting across sectors.
Notable Legal, Constitutional, or Political Implications
- Legal: Strengthens federal procurement law (FAR/DFARS) by embedding cybersecurity requirements, potentially leading to more enforceable contracts and fewer disputes over vulnerability handling. Waivers provide flexibility but include accountability via congressional reporting, avoiding overly rigid mandates.
- Constitutional: No apparent conflicts; it operates within Congress's authority over federal spending and national security (e.g., under Article I's appropriations power), without infringing on free speech or privacy rights.
- Political: Promotes bipartisan cybersecurity priorities by formalizing executive branch actions, but could spark debates on contractor burdens (e.g., small businesses) versus national security needs. Enhances congressional oversight without new funding mandates, aligning with trends in proactive cyber legislation.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Cosponsors (1)
Rep. Brown, Shontel M. [D-OH-11]
Recent Actions
- 2025-03-04: Received in the Senate and Read twice and referred to the Committee on Homeland Security and Governmental Affairs.
- 2025-03-03: Motion to reconsider laid on the table Agreed to without objection.
- 2025-03-03: On motion to suspend the rules and pass the bill, as amended Agreed to by voice vote. (text: CR H930-931)
- 2025-03-03: Passed/agreed to in House: On motion to suspend the rules and pass the bill, as amended Agreed to by voice vote. (text: CR H930-931)
- 2025-03-03: DEBATE - The House proceeded with forty minutes of debate on H.R. 872.
- 2025-03-03: Considered under suspension of the rules. (consideration: CR H930-932)
- 2025-03-03: Mr. Comer moved to suspend the rules and pass the bill, as amended.
- 2025-01-31: Referred to the Committee on Oversight and Government Reform, and in addition to the Committee on Armed Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- 2025-01-31: Referred to the Committee on Oversight and Government Reform, and in addition to the Committee on Armed Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- 2025-01-31: Introduced in House
- 2025-01-31: Introduced in House
Bill Versions
- Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 — issued 2025-03-03 — PDF (8 pages)
- Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 — issued 2025-01-31 — PDF (7 pages)
- Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 — issued 2025-03-04 — PDF (7 pages)