Floor SpeechBipartisan2025-03-03

FEDERAL CONTRACTOR CYBERSECURITY VULNERABILITY REDUCTION ACT OF 2025

TaxesEnvironmentDefenseTradeTechnologyInfrastructure

Context

On 2025-03-03, Representative James Comer (R-KY-1) delivered a floor speech titled "FEDERAL CONTRACTOR CYBERSECURITY VULNERABILITY REDUCTION ACT OF 2025" in the House. The speech addressed taxes and also covered the environment, defense. It referenced legislation: HR872.

Full Text

FEDERAL CONTRACTOR CYBERSECURITY VULNERABILITY REDUCTION ACT OF 2025

Congressional Record, Volume 171 Issue 40 (Monday, March 3, 2025) [Congressional Record Volume 171, Number 40 (Monday, March 3, 2025)] [House] [Pages H930-H932] From the Congressional Record Online through the Government Publishing Office [ www.gpo.gov ] FEDERAL CONTRACTOR CYBERSECURITY VULNERABILITY REDUCTION ACT OF 2025 Mr. COMER. Mr. Speaker, I move to suspend the rules and pass the bill (H.R. 872) to require covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines, and for other purposes, as amended. The Clerk read the title of the bill. The text of the bill is as follows: H.R. 872 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025''. SEC. 2. FEDERAL CONTRACTOR VULNERABILITY DISCLOSURE POLICY. (a) Recommendations.-- (1) In general.--Not later than 180 days after the date of the enactment of this Act, the Director of the Office of Management and Budget, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Director of the National Institute of Standards and Technology, and any other appropriate head of an Executive department, shall-- (A) review the Federal Acquisition Regulation contract requirements and language for contractor vulnerability disclosure programs; and (B) recommend updates to such requirements and language to the Federal Acquisition Regulation Council. (2) Contents.--The recommendations required by paragraph (1) shall include updates to such requirements designed to ensure that covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines for contractors as required under section 5 of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3c; Public Law 116-207). (b) Procurement Requirements.--Not later than 180 days after the date on which the recommended contract language developed pursuant to subsection (a) is received, the Federal Acquisition Regulation Council shall review the recommended contract language and update the FAR as necessary to incorporate requirements for covered contractors to receive information about a potential security vulnerability relating to an information system owned or controlled by a contractor, in performance of the contract. (c) Elements.--The update to the FAR pursuant to subsection (b) shall-- (1) to the maximum extent practicable, align with the security vulnerability disclosure process and coordinated disclosure requirements relating to Federal information systems under sections 5 and 6 of the IoT Cybersecurity Improvement Act of 2020 (Public Law 116-207; 15 U.S.C. 278g- 3c and 278g-3d); and (2) to the maximum extent practicable, be aligned with industry best practices and Standards 29147 and 30111 of the International Standards Organization (or any successor standard) or any other appropriate, relevant, and widely used standard. (d) Waiver.--The head of an agency may waive the security vulnerability disclosure policy requirement under subsection (b) if-- (1) the agency Chief Information Officer determines that the waiver is necessary in the interest of national security or research purposes; and (2) if, not later than 30 days after granting a waiver, such head submits a notification and justification (including information about the duration of the waiver) to the Committee on Oversight and Government Reform of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate. (e) Department of Defense Supplement to the Federal Acquisition Regulation.-- (1) Review.--Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall review the Department of Defense Supplement to the Federal Acquisition Regulation contract requirements and language for contractor vulnerability disclosure programs and develop updates to such requirements designed to ensure that covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines for contractors as required under section 5 of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3c; Public Law 116-207). (2) Revisions.--Not later than 180 days after the date on which the review required under subsection (a) is completed, the Secretary shall revise the DFARS as necessary to incorporate requirements for covered contractors to receive information about a potential security vulnerability relating to an information system owned or controlled by a contractor, in performance of the contract. (3) Elements.--The Secretary shall ensure that the revision to the DFARS described in this subsection is carried out in accordance [[Page H931]] with the requirements of paragraphs (1) and (2) of subsection (c). (4) Waiver.--The Chief Information Officer of the Department of Defense, in consultation with the National Manager for National Security Systems, may waive the security vulnerability disclosure policy requirements under paragraph (2) if the Chief Information Officer-- (A) determines that the waiver is necessary in the interest of national security or research purposes; and (B) not later than 30 days after granting a waiver, submits a notification and justification (including information about the duration of the waiver) to the Committees on Armed Services of the House of Representatives and the Senate. (f) Definitions.--In this section: (1) The term ``agency'' has the meaning given the term in section 3502 of title 44, United States Code. (2) The term ``covered contractor'' means a contractor (as defined in section 7101 of title 41, United States Code)-- (A) whose contract is in an amount the same as or greater than the simplified acquisition threshold; or (B) that uses, operates, manages, or maintains a Federal information system (as defined by section 11331 of title 40, United Stated Code) on behalf of an agency. (3) The term ``DFARS'' means the Department of Defense Supplement to the Federal Acquisition Regulation. (4) The term ``Executive department'' has the meaning given that term in section 101 of title 5, United States Code. (5) The term ``FAR'' means the Federal Acquisition Regulation. (6) The term ``NIST'' means the National Institute of Standards and Technology. (7) The term ``OMB'' means the Office of Management and Budget. (8) The term ``security vulnerability'' has the meaning given that term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650). (9) The term ``simplified acquisition threshold'' has the meaning given that term in section 134 of title 41, United States Code. The SPEAKER pro tempore. Pursuant to the rule, the gentleman from Kentucky (Mr. Comer) and the gentleman from Virginia (Mr. Connolly) each will control 20 minutes. The Chair recognizes the gentleman from Kentucky. General Leave Mr. COMER. Mr. Speaker, I ask unanimous consent that all Members may have 5 legislative days in which to revise and extend their remarks and include extraneous material on this measure. The SPEAKER pro tempore. Is there objection to the request of the gentleman from Kentucky? There was no objection. Mr. COMER. Mr. Speaker, I yield myself such time as I may consume. Mr. Speaker, I am happy to support H.R. 872, the Federal Contractor Cybersecurity Vulnerability Reduction Act. Mr. Speaker, this bill will require Federal contractors to have a vulnerability disclosure policy, or VDP. This would help contractors more quickly alert Federal agencies about vulnerabilities, which could avoid a future cybersecurity breach. Federal agencies must act quickly when dealing with a cyberattack. The sooner a Federal agency knows that it may have a problem, the sooner it can take steps to protect its systems and data, including the personal data of millions of Americans. It is reasonable to require Federal contractors to play a proactive role in addressing vulnerabilities in Federal information systems. This bill complements the committee's ongoing work aimed at helping Federal agencies protect their data and information systems. Mr. Speaker, I thank our great Cybersecurity, Information Technology, and Government Innovation Subcommittee chairwoman, the gentlewoman from South Carolina (Ms. Mace), for introducing this important legislation, which the House Oversight and Government Reform Committee unanimously passed last year and the House later passed as part of the fiscal year 2025 National Defense Authorization Act. I also thank the Cybersecurity, Information Technology, and Government Innovation Subcommittee ranking member, the gentlewoman from Ohio (Ms. Brown), for cosponsoring this legislation, building on the bipartisan support from last year. Mr. Speaker, I encourage my colleagues to support H.R. 872 once again, and I reserve the balance of my time. Mr. CONNOLLY. Mr. Speaker, I yield myself such time as I may consume. Mr. Speaker, I appreciate today's consideration of the Federal Contractor Cybersecurity Vulnerability Reduction Act, as well as the work of Chairwoman Mace and Ranking Member Brown in leading this legislation for us today. The bill would ensure that Federal contractors implement vulnerability disclosure policies consistent with the guidance and guidelines of the National Institute of Standards and Technology, industry best practices, and international standards. Mr. Speaker, each year, software developers, security researchers, and others discover tens of thousands of security vulnerabilities in computer software and systems. For example, in 2023 alone, more than 29,000 common vulnerabilities and exposures were logged in this widely used National Vulnerability Database. If companies established a process for accepting, assessing, and managing reports of such vulnerabilities, otherwise known as vulnerability disclosure policies, they can make use of such discoverie

Referenced legislation: HR872, HR872

View original source →

FEDERAL CONTRACTOR CYBERSECURITY VULNERABILITY REDUCTION ACT OF 2025 Congressional Record, Volume 171 Issue 40 (Monday, March 3, 2025) [Congressional Record Volume 171, Number 40 (Monday, March 3, 2025)] [House] [Pages H930-H932] From the Congressional Record Online through the Government Publishing Office [ www.gpo.gov ] FEDERAL CONTRACTOR CYBERSECURITY VULNERABILITY REDUCTION ACT OF 2025 Mr. COMER. Mr. Speaker, I move to suspend the rules and pass the bill (H.R. 872) to require covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines, and for other purposes, as amended. The Clerk read the title of the bill. The text of the bill is as follows: H.R. 872 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025''. SEC. 2. FEDERAL CONTRACTOR VULNERABILITY DISCLOSURE POLICY. (a) Recommendations.-- (1) In general.--Not later than 180 days after the date of the enactment of this Act, the Director of the Office of Management and Budget, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Director of the National Institute of Standards and Technology, and any other appropriate head of an Executive department, shall-- (A) review the Federal Acquisition Regulation contract requirements and language for contractor vulnerability disclosure programs; and (B) recommend updates to such requirements and language to the Federal Acquisition Regulation Council. (2) Contents.--The recommendations required by paragraph (1) shall include updates to such requirements designed to ensure that covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines for contractors as required under section 5 of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3c; Public Law 116-207). (b) Procurement Requirements.--Not later than 180 days after the date on which the recommended contract language developed pursuant to subsection (a) is received, the Federal Acquisition Regulation Council shall review the recommended contract language and update the FAR as necessary to incorporate requirements for covered contractors to receive information about a potential security vulnerability relating to an information system owned or controlled by a contractor, in performance of the contract. (c) Elements.--The update to the FAR pursuant to subsection (b) shall-- (1) to the maximum extent practicable, align with the security vulnerability disclosure process and coordinated disclosure requirements relating to Federal information systems under sections 5 and 6 of the IoT Cybersecurity Improvement Act of 2020 (Public Law 116-207; 15 U.S.C. 278g- 3c and 278g-3d); and (2) to the maximum extent practicable, be aligned with industry best practices and Standards 29147 and 30111 of the International Standards Organization (or any successor standard) or any other appropriate, relevant, and widely used standard. (d) Waiver.--The head of an agency may waive the security vulnerability disclosure policy requirement under subsection (b) if-- (1) the agency Chief Information Officer determines that the waiver is necessary in the interest of national security or research purposes; and (2) if, not later than 30 days after granting a waiver, such head submits a notification and justification (including information about the duration of the waiver) to the Committee on Oversight and Government Reform of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate. (e) Department of Defense Supplement to the Federal Acquisition Regulation.-- (1) Review.--Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall review the Department of Defense Supplement to the Federal Acquisition Regulation contract requirements and language for contractor vulnerability disclosure programs and develop updates to such requirements designed to ensure that covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines for contractors as required under section 5 of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3c; Public Law 116-207). (2) Revisions.--Not later than 180 days after the date on which the review required under subsection (a) is completed, the Secretary shall revise the DFARS as necessary to incorporate requirements for covered contractors to receive information about a potential security vulnerability relating to an information system owned or controlled by a contractor, in performance of the contract. (3) Elements.--The Secretary shall ensure that the revision to the DFARS described in this subsection is carried out in accordance [[Page H931]] with the requirements of paragraphs (1) and (2) of subsection (c). (4) Waiver.--The Chief Information Officer of the Department of Defense, in consultation with the National Manager for National Security Systems, may waive the security vulnerability disclosure policy requirements under paragraph (2) if the Chief Information Officer-- (A) determines that the waiver is necessary in the interest of national security or research purposes; and (B) not later than 30 days after granting a waiver, submits a notification and justification (including information about the duration of the waiver) to the Committees on Armed Services of the House of Representatives and the Senate. (f) Definitions.--In this section: (1) The term ``agency'' has the meaning given the term in section 3502 of title 44, United States Code. (2) The term ``covered contractor'' means a contractor (as defined in section 7101 of title 41, United States Code)-- (A) whose contract is in an amount the same as or greater than the simplified acquisition threshold; or (B) that uses, operates, manages, or maintains a Federal information system (as defined by section 11331 of title 40, United Stated Code) on behalf of an agency. (3) The term ``DFARS'' means the Department of Defense Supplement to the Federal Acquisition Regulation. (4) The term ``Executive department'' has the meaning given that term in section 101 of title 5, United States Code. (5) The term ``FAR'' means the Federal Acquisition Regulation. (6) The term ``NIST'' means the National Institute of Standards and Technology. (7) The term ``OMB'' means the Office of Management and Budget. (8) The term ``security vulnerability'' has the meaning given that term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650). (9) The term ``simplified acquisition threshold'' has the meaning given that term in section 134 of title 41, United States Code. The SPEAKER pro tempore. Pursuant to the rule, the gentleman from Kentucky (Mr. Comer) and the gentleman from Virginia (Mr. Connolly) each will control 20 minutes. The Chair recognizes the gentleman from Kentucky. General Leave Mr. COMER. Mr. Speaker, I ask unanimous consent that all Members may have 5 legislative days in which to revise and extend their remarks and include extraneous material on this measure. The SPEAKER pro tempore. Is there objection to the request of the gentleman from Kentucky? There was no objection. Mr. COMER. Mr. Speaker, I yield myself such time as I may consume. Mr. Speaker, I am happy to support H.R. 872, the Federal Contractor Cybersecurity Vulnerability Reduction Act. Mr. Speaker, this bill will require Federal contractors to have a vulnerability disclosure policy, or VDP. This would help contractors more quickly alert Federal agencies about vulnerabilities, which could avoid a future cybersecurity breach. Federal agencies must act quickly when dealing with a cyberattack. The sooner a Federal agency knows that it may have a problem, the sooner it can take steps to protect its systems and data, including the personal data of millions of Americans. It is reasonable to require Federal contractors to play a proactive role in addressing vulnerabilities in Federal information systems. This bill complements the committee's ongoing work aimed at helping Federal agencies protect their data and information systems. Mr. Speaker, I thank our great Cybersecurity, Information Technology, and Government Innovation Subcommittee chairwoman, the gentlewoman from South Carolina (Ms. Mace), for introducing this important legislation, which the House Oversight and Government Reform Committee unanimously passed last year and the House later passed as part of the fiscal year 2025 National Defense Authorization Act. I also thank the Cybersecurity, Information Technology, and Government Innovation Subcommittee ranking member, the gentlewoman from Ohio (Ms. Brown), for cosponsoring this legislation, building on the bipartisan support from last year. Mr. Speaker, I encourage my colleagues to support H.R. 872 once again, and I reserve the balance of my time. Mr. CONNOLLY. Mr. Speaker, I yield myself such time as I may consume. Mr. Speaker, I appreciate today's consideration of the Federal Contractor Cybersecurity Vulnerability Reduction Act, as well as the work of Chairwoman Mace and Ranking Member Brown in leading this legislation for us today. The bill would ensure that Federal contractors implement vulnerability disclosure policies consistent with the guidance and guidelines of the National Institute of Standards and Technology, industry best practices, and international standards. Mr. Speaker, each year, software developers, security researchers, and others discover tens of thousands of security vulnerabilities in computer software and systems. For example, in 2023 alone, more than 29,000 common vulnerabilities and exposures were logged in this widely used National Vulnerability Database. If companies established a process for accepting, assessing, and managing reports of such vulnerabilities, otherwise known as vulnerability disclosure policies, they can make use of such discoverie Referenced legislation: HR872, HR872