[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 5028 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  2d Session
                                S. 5028

To require Federal contractors to implement a vulnerability disclosure 
    policy consistent with NIST guidelines, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 11, 2024

  Mr. Warner (for himself and Mr. Lankford) introduced the following 
 bill; which was read twice and referred to the Committee on Homeland 
                   Security and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
To require Federal contractors to implement a vulnerability disclosure 
    policy consistent with NIST guidelines, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Contractor Cybersecurity 
Vulnerability Reduction Act of 2024''.

SEC. 2. FEDERAL CONTRACTOR VULNERABILITY DISCLOSURE POLICY.

    (a) Recommendations.--
            (1) In general.--Not later than 180 days after the date of 
        the enactment of this Act, the Director of the Office of 
        Management and Budget, in consultation with the Director of the 
        Cybersecurity and Infrastructure Security Agency, the National 
        Cyber Director, the Director of the National Institute of 
        Standards and Technology, and any other appropriate head of an 
        Executive department, shall--
                    (A) review the Federal Acquisition Regulation (FAR) 
                contract requirements and language for contractor 
                vulnerability disclosure programs; and
                    (B) recommend updates to such requirements and 
                language to the Federal Acquisition Regulation Council.
            (2) Contents.--The recommendations required by paragraph 
        (1) shall include updates to such requirements designed to 
        ensure that covered contractors implement a vulnerability 
        disclosure policy consistent with National Institute of 
        Standards and Technology (NIST) guidelines for contractors as 
        required under section 5 of the IoT Cybersecurity Improvement 
        Act of 2020 (15 U.S.C. 278g-3c).
    (b) Procurement Requirements.--Not later than 180 days after the 
date on which the recommended contract language developed pursuant to 
subsection (a) is received, the Federal Acquisition Regulation Council 
shall review the recommended contract language and amend the FAR as 
necessary to incorporate requirements for covered contractors to 
solicit and address information about potential security 
vulnerabilities relating to an information system owned or controlled 
by the contractor that is used in performance of a Federal contract.
    (c) Elements.--The update to the FAR pursuant to subsection (b) 
shall--
            (1) to the maximum extent practicable, align with the 
        security vulnerability disclosure process and coordinated 
        disclosure requirements relating to Federal information systems 
        under sections 5 and 6 of the IoT Cybersecurity Improvement Act 
        of 2020 (15 U.S.C. 278g-3c, 278g-3d); and
            (2) to the maximum extent practicable, be aligned with 
        industry best practices and Standards 29147 and 30111 of the 
        International Standards Organization (or any successor 
        standard) or any other appropriate, relevant, and widely used 
        standard.
    (d) Waiver.--The head of an agency may waive the security 
vulnerability disclosure policy requirement under subsection (b) if the 
agency Chief Information Officer--
            (1) determines that the waiver is necessary in the interest 
        of national security or research purposes; and
            (2) not later than 30 days after granting the waiver, 
        submits a notification and justification, including information 
        about the duration of the waiver, to the Committee on Homeland 
        Security and Governmental Affairs of the Senate and the 
        Committee on Oversight and Accountability of the House of 
        Representatives.
    (e) Department of Defense Supplement to the Federal Acquisition 
Regulation.--
            (1) Review.--Not later than 180 days after the date of the 
        enactment of this Act, the Secretary of Defense shall review 
        the Department of Defense Supplement to the Federal Acquisition 
        Regulation (DFARS) contract requirements and language for 
        contractor vulnerability disclosure programs and develop 
        updates to such requirements designed to ensure that covered 
        contractors, to the maximum extent practicable, align with the 
        security vulnerability disclosure process and coordinated 
        disclosure requirements relating to Federal information systems 
        under sections 5 and 6 of the IoT Cybersecurity Improvement Act 
        of 2020 (15 U.S.C. 278g-3c, 278g-3d).
            (2) Revisions.--Not later than 180 days after the date on 
        which the review required under subsection (a) is completed, 
        the Secretary shall revise the DFARS as necessary to 
        incorporate requirements for covered contractors to receive 
        information about a potential security vulnerability relating 
        to an information system owned or controlled by a contractor, 
        in performance of the contract.
            (3) Elements.--The Secretary shall ensure that the revision 
        to the DFARS described in this subsection is carried out in 
        accordance with the requirements of paragraphs (1) and (2) of 
        subsection (c).
            (4) Waiver.--The Chief Information Officer of the 
        Department of Defense may waive the security vulnerability 
        disclosure policy requirements under paragraph (2) if the Chief 
        Information Officer--
                    (A) determines that the waiver is necessary in the 
                interest of national security or research purposes; and
                    (B) not later than 30 days after granting the 
                waiver, submits a notification and justification, 
                including information about the duration of the waiver, 
                to the Committee on Armed Services of the Senate and 
                the Committee on Armed Services of the House of 
                Representatives.
    (f) Definitions.--In this section:
            (1) Agency.--The term ``agency'' has the meaning given the 
        term in section 3502 of title 44, United States Code.
            (2) Covered contractor.--The term ``covered contractor'' 
        means a contractor (as defined in section 7101 of title 41, 
        United States Code)--
                    (A) whose contract is in an amount the same as or 
                greater than the simplified acquisition threshold; or
                    (B) that uses, operates, manages, or maintains a 
                Federal information system (as defined by section 11331 
                of title 40, United Stated Code) on behalf of an 
                agency.
            (3) Executive department.--The term ``Executive 
        department'' has the meaning given that term in section 101 of 
        title 5, United States Code.
            (4) Security vulnerability.--The term ``security 
        vulnerability'' has the meaning given that term in section 2200 
        of the Homeland Security Act of 2002 (6 U.S.C. 650).
            (5) Simplified acquisition threshold.--The term 
        ``simplified acquisition threshold'' has the meaning given that 
        term in section 134 of title 41, United States Code.
                                 <all>