Lankford Works to Strengthen Federal Cybersecurity Measures, Implement Mandatory Vulnerability Disclosure Policies
OKLAHOMA CITY, OK – Senators James Lankford (R-OK) and Mark Warner (D-VA), members of the Senate Select Committee on Intelligence, introduced the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 to strengthen federal cybersecurity by ensuring that federal contractors adhere to guidelines set forth by the National Institute of Standards and Technology (NIST).
“Federal agencies and contractors must be quickly made aware of cyber vulnerabilities, so they can resolve them. By strengthening cybersecurity efforts, contractors and agencies can keep their focus on serving the American people and keep data and systems safe from cybercrimes and hacking,” said Lankford.
“VDPs are a crucial tool used to proactively identify and address software vulnerabilities,” said Warner. “This legislation will ensure that federal contractors, along with federal agencies, are adhering to national guidelines that will better protect our critical infrastructure, and sensitive data from potential attacks.”
Vulnerability Disclosure Policies (VDP) provide a way for organizations to receive unsolicited reports of vulnerabilities within their software so that they can be patched before an attack takes place. Receiving reports on suspected security vulnerabilities in information systems is one of the best ways for developers and services to become aware of issues. Currently, civilian federal agencies are required to have VDPs, however there is no requirement for federal contractors—civilian or defense—to have VDPs for the information systems used in the fulfillment of their contracts. This legislation would require the implementation of VDPs among federal contractors and formalize actions to accept, assess, and manage vulnerability disclosure reports in order to help reduce known security vulnerabilities among federal contractors.
Specifically the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024would:
- Require the Office of Management and Budget (OMB) to oversee updates to the Federal Acquisition Regulation (FAR) to ensure federal contractors implement a vulnerability disclosure policy consistent with what is already required by federal agencies;
- Require the Secretary of Defense to oversee updates to the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements to ensure defense contractors implement the same.
###