PRIA Logo
HR872119th CongressWALLET

Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025

Sponsored By: Representative Mace, Nancy [R-SC-1]

Passed House

Summary

Requires covered federal contractors to adopt vulnerability disclosure policies aligned with NIST guidance. The bill would update the Federal Acquisition Regulation and the Defense FAR Supplement so contractors get and handle reports about security flaws in contractor-controlled systems.

Your PRIA Score

Score Hidden

Personalized for You

How does this bill affect your finances?

Sign up for a PRIA Policy Scan to see your personalized alignment score for this bill and every other piece of legislation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.

Free to start

Bill Overview

Analyzed Economic Effects

3 provisions identified: 0 benefits, 2 costs, 1 mixed.

Defense contractors face similar cyber rules

If enacted, the Defense Department would review its acquisition rules within 180 days. Within 180 days after that review, it would revise DFARS. Covered defense contractors would need a NIST-aligned vulnerability disclosure policy and must receive reports about contractor systems used on a contract. Rules would align with the IoT Cybersecurity Improvement Act and ISO 29147 and 30111, when practical. The DoD CIO could waive the rules for national security or research, after consulting the National Manager for National Security Systems, and must notify the House and Senate Armed Services Committees within 30 days.

Which contractors must follow these rules

If enacted, a contractor would be covered if its federal contract is at or above the simplified acquisition threshold. A contractor would also be covered if it uses, operates, manages, or maintains a federal information system for an agency. Covered status would determine who must follow the new vulnerability disclosure rules.

New security vulnerability rules for contractors

If enacted, OMB would, within 180 days, review contract language on handling security vulnerability reports with CISA, NIST, and others. The FAR Council would have 180 days after it gets those recommendations to update the FAR. Covered contractors would need a NIST-aligned policy and must be able to receive reports about contractor-owned or controlled systems used on a contract. Updates would aim to follow the IoT Cybersecurity Improvement Act and ISO 29147 and 30111, when practical. Agency heads could waive the rule for national security or research if the agency CIO agrees, and must notify House Oversight and Senate Homeland Security within 30 days.

Sponsors & CoSponsors

Sponsor

Mace, Nancy [R-SC-1]

SC • R

Cosponsors

  • Rep. Brown, Shontel M. [D-OH-11]

    OH • D

    Sponsored 1/31/2025

Roll Call Votes

No roll call votes available for this bill.

View on Congress.gov
Back to Legislation