HR 5255 Introduced
Contractor VDP
Last month, Rep Mace (R,SC) introduced HR 5255, the Federal Cybersecurity Vulnerability Reduction Act of 2023. The bill would require the OMB and DOD to review Federal Acquisition Regulations (FAR) to ensure that covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines for contractors as required by 15 USC 278g–3c. No funding is authorized by this legislation.
Definitions
Subsection 2(f) provides definitions for 8 key terms used in this bill. The one technical term, ‘security vulnerability’, is defined by reference to an existing statutory definition.
General Requirements
Subsection 2(a) required the Office of Management and Budget to “review the Federal Acquisition Regulation [FAR] contract requirements and language for contractor vulnerability disclosure programs and recommend updates to such requirements and language to the Federal Acquisition Regulation Council”, specifically including updates to such requirements designed to ensure that covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines.
The FAR update would include the following elements:
To the maximum extent practicable, be aligned with the NIST guidelines and OMB implementation for contractors as required under §278g–3c and §278g–3d,
To the maximum extent practicable, be aligned with industry best practices and ISO 29147 and ISO 30111 or any other appropriate, relevant, and widely used standard, and
Not apply to contractors whose contracts are in amounts not greater than the simplified acquisition threshold.
Subsection 2(d) allows a Chief Information Officer of an Executive department may waive the vulnerability disclosure policy requirement if the CIO determines that the waiver is necessary in the interest of national security or research purposes.
DOD FAR Supplement
Subsection 2(e) requires DOD to conduct a similar review and make similar revisions to the DOD supplement to FAR.
Moving Forward
Mace is a member of the House Oversight and Accountability Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. I see nothing in this legislation that should engender any organized opposition. The bill should receive some level of bipartisan support if considered. I suspect that this bill would receive sufficient bipartisan support to allow it to be considered under the House suspension of the rules process when taken up by the full House.
Commentary
Interestingly, most of the requirements set forth in this bill are already incorporated in §278g–3c and §278g–3d in 15 USC. Specifically, the requirement to set appropriate FAR guidelines, is included in §278g-3d(d). Unfortunately, the timelines set forth in the two existing sections of 15 USC have passed without the required action taking place. I do not think that the setting of new timelines like we see in this bill will have any material impact on the acquisition regulations absent some specific new requirements. I would suggest that a §3 be added to the bill:
“SEC. 3. REPORT TO CONGRESS—The Director of the Office of Management and Budget will within 30 days of the enactment of this bill will provide a report to Congress on the reasons why the regulatory time limits in §278g–3c(a) and §278g–3d(a) have not been met. The report will include a timeline for the agency’s completing the requirements of the two subsections.