[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5255 Introduced in House (IH)]

<DOC>






118th CONGRESS
  1st Session
                                H. R. 5255

  To require covered contractors implement a vulnerability disclosure 
    policy consistent with NIST guidelines, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            August 22, 2023

   Ms. Mace introduced the following bill; which was referred to the 
   Committee on Oversight and Accountability, and in addition to the 
Committee on Armed Services, for a period to be subsequently determined 
 by the Speaker, in each case for consideration of such provisions as 
        fall within the jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
  To require covered contractors implement a vulnerability disclosure 
    policy consistent with NIST guidelines, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Cybersecurity Vulnerability 
Reduction Act of 2023''.

SEC. 2. FEDERAL CONTRACTOR VULNERABILITY DISCLOSURE POLICY.

    (a) In General.--Not later than 180 days after the date of the 
enactment of this Act, the Director of the Office of Management and 
Budget, in consultation with the Director of the Cybersecurity and 
Infrastructure Security Agency, the National Cyber Director, the 
Director of the National Institute of Standards and Technology, and any 
other appropriate head of an Executive department, shall review the 
Federal Acquisition Regulation contract requirements and language for 
contractor vulnerability disclosure programs and recommend updates to 
such requirements and language to the Federal Acquisition Regulation 
Council. The recommendations shall include updates to such requirements 
designed to ensure that covered contractors implement a vulnerability 
disclosure policy consistent with NIST guidelines for contractors as 
required under section 5 of the IoT Cybersecurity Improvement Act of 
2020 (15 U.S.C. 278g-3c; Public Law 116-207).
    (b) Procurement Requirements.--Not later than 60 days after the 
date on which the recommended contract language developed pursuant to 
subsection (a) is received, the FAR Council shall review the 
recommended contract language and update the FAR as necessary to 
incorporate requirements for covered contractors to receive information 
about a potential security vulnerability relating to an information 
system owned or controlled by a contractor.
    (c) Elements.--The update to the FAR pursuant to subsection (b) 
shall--
            (1) to the maximum extent practicable, be aligned with the 
        NIST guidelines and OMB implementation for contractors as 
        required under sections 5 and 6 of the IoT Cybersecurity 
        Improvement Act of 2020 (Public Law 116-207; 15 U.S.C. 278g-3c 
        and 278g-3d);
            (2) to the maximum extent practicable, be aligned with 
        industry best practices and Standards 29147 and 30111 of the 
        International Standards Organization (or any successor 
        standard) or any other appropriate, relevant, and widely used 
        standard; and
            (3) not apply to contractors whose contracts are in amounts 
        not greater than the simplified acquisition threshold.
    (d) Waiver.--Consistent with section 7(b) of the IoT Cybersecurity 
Improvement Act of 2020 (15 U.S.C. 278g-3e(b)), the Chief Information 
Officer of an Executive department may waive the vulnerability 
disclosure policy requirement under subsection (b) if the Chief 
Information Officer determines that the waiver is necessary in the 
interest of national security or research purposes.
    (e) Department of Defense Supplement to the Federal Acquisition 
Regulation.--
            (1) Review.--Not later than 180 days after the date of the 
        enactment of this Act, the Secretary of Defense shall review 
        the Department of Defense Supplement to the Federal Acquisition 
        Regulation contract requirements and language for contractor 
        vulnerability disclosure programs and develop updates to such 
        requirements designed to ensure that covered contractors 
        implement a vulnerability disclosure policy consistent with 
        NIST guidelines for contractors as required under section 5 of 
        the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-
        3c; Public Law 116-207).
            (2) Revisions.--Not later than 60 days after the date on 
        which the review required under subsection (a) is completed, 
        the Secretary shall revise the DFARS as necessary to 
        incorporate requirements for covered contractors to receive 
        information about a potential security vulnerability relating 
        to an information system owned or controlled by a contractor.
            (3) Elements.--The Secretary shall ensure that the revision 
        to the DFARS described in this subsection is carried out in 
        accordance with the requirements of paragraphs (1), (2), and 
        (3) of subsection (c).
            (4) Waiver.--The Chief Information Officer of the 
        Department of Defense may waive the security vulnerability 
        disclosure requirements under paragraph (2) if the Chief 
        Information Officer determines that the waiver is necessary in 
        the interest of national security or research purposes.
    (f) Definitions.--In this section:
            (1) Covered contractor.--The term ``covered contractor'' 
        means a contractor (as defined in section 7101 of title 41, 
        United States Code) whose contract is in an amount the same as 
        or greater than the simplified acquisition threshold.
            (2) DFARS.--The term ``DFARS'' means the Department of 
        Defense Supplement to the Federal Acquisition Regulation.
            (3) Executive department.--The term ``Executive 
        department'' has the meaning given that term in section 101 of 
        title 5, United States Code.
            (4) FAR.--The term ``FAR'' means the Federal Acquisition 
        Regulation.
            (5) NIST.--The term ``NIST'' means the National Institute 
        of Standards and Technology.
            (6) OMB.--The term ``OMB'' means the Office of Management 
        and Budget.
            (7) Security vulnerability.--The term ``security 
        vulnerability'' has the meaning given that term in section 2200 
        of the Homeland Security Act of 2002 (6 U.S.C. 650).
            (8) Simplified acquisition threshold.--The term 
        ``simplified acquisition threshold'' has the meaning given that 
        term in section 134 of title 41, United States Code.
                                 <all>