Vulnerability disclosure policies have proliferated throughout federal agencies in recent years, and if a new House bill ends up becoming law, federal contractors would have to adopt policies for accepting vulnerability information from security researchers as well.

Rep. Nancy Mace (R-S.C.) today announced the Federal Cybersecurity Vulnerability Reduction Act of 2023. Mace is chairwoman of the House Oversight and Accountability Committee’s cybersecurity, information technology and government innovation subcommittee.

The bill would require the White House Office of Management and Budget to lead updates to the Federal Acquisition Regulation that ensure federal contractors implement a vulnerability disclosure policy.

Defense Department contractors would also be required to follow the new procurement regulations. The legislation does allow agency chief information officers to waive the VDP requirements “in the interest of national security or research purposes.”

“By mandating Vulnerability Disclosure Policies (VDP) for federal contractors, we can ensure a proactive approach to cybersecurity, enabling contractors to identify and address software vulnerabilities promptly,” Mace said in a statement. “This legislation, aligned with internationally recognized standards, empowers contractors to stay ahead of malicious actors, preventing potential exploits and protecting sensitive information. With the Federal Cybersecurity Vulnerability Reduction Act, we will reinforce our commitment to a robust and resilient cyberspace, fostering trust and security in the digital age.”

In 2020, OMB directed federal agencies to use vulnerability disclosure policies. The Cybersecurity and Infrastructure Security Agency also published a VDP binding operational directive and implementation guidance.

“VDPs establish processes for the identification, management, and remediation of security vulnerabilities uncovered by security researchers,” OMB’s memo states. “They are among the most effective methods for obtaining new insights regarding security vulnerability information and provide high return on investment. They also provide protection for those who uncover these vulnerabilities by differentiating between good-faith security research and unacceptable means of gathering security information.”

Federal contractors that furnish information systems have already been required to have VDPs under the Internet of Things Cybersecurity Act of 2020. But Mace’s bill would extend the VDP requirements to all government contracts above the simplified acquisition threshold.

Mace’s bill would have contractors specifically follow the VDP guidelines established by the National Institute of Standards and Technology.

In May, NIST published “Recommendations for Federal Vulnerability Disclosure Guidelines.” The document lays out a federal vulnerability disclosure framework, including information about how agencies should set up a system for receiving information about potential security vulnerabilities, as well as methods for communicating ways to resolve those vulnerabilities to other agencies and the public.

“Creating efficient and effective vulnerability disclosure programs can help minimize the unintended exposure of government and private information, the corruption of data, and the loss of services,” the guidelines state.

Grant Schneider, the former federal chief information security officer, said Mace’s bill “has the potential to be very positive” for federal cyber efforts.

“I think this is a pretty low bar and an easy lift for organizations,” Schneider said. “VDP programs can be pretty low cost and I think far more cost effective than a lot of other places where you could put your cybersecurity dollars.”

Ilona Cohen, the chief legal and policy officer at HackerOne and a former OMB official, pointed to how major federal cybersecurity incidents have occurred through contractor systems, such as the 2015 Office of Personnel Management breach.

“This is a real gap,” Cohen said.

Mace’s bill comes as the Biden administration also prioritizes encouraging coordinated vulnerability disclosure across all technology types and sectors under the new national cyber strategy.

The Defense Department was the first federal organization to adopt a VDP and run a “bug bounty” under its “Hack the Pentagon” program that pays security researchers to find bugs in DoD systems. Mace’s bill would just require contractors to establish a VDP, leaving it up to them as to whether pursue bug bounty programs.

DoD also recently ran a 12-month VDP pilot program with 41 contractors in the defense industrial base. The pilot turned up more than 400 vulnerabilities. DoD is now considering how to expand the program to other contractors.

“We can just look to that pilot as a model for success,” Cohen said. “Those companies who participated, I think they were surprised with what they were able to achieve.”