A newly proposed bill would require third-party contractors that work with federal agencies to set up vulnerability disclosure policies (VDPs).
The Federal Cybersecurity Vulnerability Reduction Act, introduced on Tuesday by Rep. Nancy Mace (R-S.C.), would mandate contractors to implement programs that would give vulnerability reporters clear rules for submitting bugs found in their systems, consistent with guidelines from the National Institute of Standards and Technologies (NIST) on disclosing federal vulnerabilities.
Federal contractors, which have access to valuable government data and networks, pose a unique security risk to the government and have come under increased scrutiny for how they protect that data and access. Biden’s executive order, for instance, included new requirements for federal contractors to report cyber incidents.
“The reality of modern federal infrastructure is that very little of it is actually managed by the government; federal contractors are an integral part of the IT infrastructure supply chain that supports the entire operation of the United States government,” said Casey Ellis, founder and CTO of Bugcrowd. “This means that a substantial portion of potentially targetable attack surfaces fall under the responsibility and oversight of federal contractors, and this bill reflects the likelihood that the most significant changes to the cyber resilience of the United States government will likely come from this group.”
The U.S. government has placed a higher emphasis on VDPs over the years with the aim of identifying and remediating vulnerabilities in a more timely manner. After a 2020 mandate from the Cybersecurity and Infrastructure Security Agency (CISA), most federal agencies have now implemented VDPs, for instance. However, that requirement did not extend to contractors.
“The reality of modern federal infrastructure is that very little of it is actually managed by the government; federal contractors are an integral part of the IT infrastructure supply chain that supports the entire operation of the United States government."
“By mandating Vulnerability Disclosure Policies (VDP) for federal contractors, we can ensure a proactive approach to cybersecurity, enabling contractors to identify and address software vulnerabilities promptly,” said Mace in a statement. “This legislation, aligned with internationally recognized standards, empowers contractors to stay ahead of malicious actors, preventing potential exploits and protecting sensitive information."
It’s important to note that VDPs require time and detail to fully plan, develop and implement. Organizations need to have the resources in place for vulnerabilities to be reported and, after they’ve been reported, remediated. The Federal Cybersecurity Vulnerability Reduction Act’s text did not delve too deeply into these details, but instead called on the Office of Management and Budget (OMB), along with the Department of Defense (DoD), to review the United States’ flagship rules for government procurement, the Federal Acquisition Regulation, for any language related to contract rules and contractor VDPs, and recommend updates for how contractors can implement VDPs consistent with NIST guidelines.
Mace, who serves on the House Oversight’s Cybersecurity, Information Technology, and Government Innovation subcommittee, has previously focused on issues across the cybersecurity landscape, including through the proposed MACE act, which would modernize federal cybersecurity job requirements in an effort to create a more competitive workforce.
“Hack the State Department, Hack The DHS, and other Congressional Bills that acknowledge and encourage partnership between hackers and the government date back to at least 2015, and after a brief lull, it's great to see Rep. Mace's office stepping in to continue to push the idea forward,” said Ellis. “It's also awesome to see House's continued interest in enlisting hackers to serve as the Internet's immune system, and their partnership with the security community in formulating and proposing legislation like The Federal Cybersecurity Vulnerability Reduction Act.”