HR 5310 Introduced
Contractor VDP
Last month, Rep Lieu (D,CA) introduced HR 5310, the Improving Contractor Cybersecurity Act. The bill would require federal contractors to have a vulnerability disclosure program (VDP). While similar in intent to HR 5255, the Federal Cybersecurity Vulnerability Reduction Act of 2023, introduced by Rep Mace (R,SC), it does not require any modifications to the Federal Acquisition Regulations (FAR) to enforce the requirements. No funding is authorized in the legislation.
The bill would amend Chapter 47, of division C, of subtitle I, of 41 USC, adding a new §4715, Vulnerability disclosure policy and program required.
Definitions
Subsection (d) of the new section provides the definitions of three key terms used in §4715. The bill defines “information technology’ by reference to 40 USC 11101. For the purposes of this blog, the key part of that definition is in §11101(6)(b):
“(B) includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources;”
This specifically includes ‘security and surveillance’ equipment, which is a subset of what most people consider to be operational technology. Furthermore, the phrase “peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures” would certainly seem to include industrial control systems.
VDP Program
Subsection (a) would prohibit the head of a federal agency from entering “into a contract for information technology unless the contractor maintains or does the following:”
A vulnerability disclosure policy for information technology,
Establish additional procedures that describe how the contractor will communicate with the researcher, and how and when any communication occurs,
Establish target timelines for contacting researchers for notification of receipt of initial report of vulnerability, initial assessment of validity of vulnerability, and resolution of the vulnerability,
Establish a contractor web site that provides information about the VDP program, and
Establish a process to forward 3rd party vulnerabilities to the responsible vendor.
The required vulnerability disclosure policy will include:
A description of which systems are in scope,
The type of information technology testing for each system that is allowed (or specifically not authorized),
If a contractor includes systems that host sensitive information in the vulnerability disclosure policy, the contractor shall determine whether to impose restrictions on accessing, copying, transferring, storing, using, and retaining such information,
A description of how an individual may submit a vulnerability report,
A commitment from the contractor that the contractor will not pursue civil action for any accidental, good faith violation of the vulnerability disclosure policy,
A commitment from the contractor that if an individual acting in accordance with the vulnerability disclosure policy of the contractor is sued by a third party, the contractor will inform the public or the court that the individual was acting in compliance with the vulnerability disclosure policy,
A statement that describes the time frame in which the individual that submits a report, if known, will receive a notification of receipt of the report and a description of what steps will be taken by the contractor during the remediation process, and
A set of guidelines that establishes what type of activities by a researcher are acceptable and unacceptable.
Information Sharing
Subsection (b) would require contractors to report to CISA:
Any valid or credible report of a not previously known public vulnerability (including any misconfiguration) on a system that uses commercial software or services that affect or are likely to affect other parties in government or industry once a patch or viable mitigation is available,
Any other situation where the contractor determines it would be helpful or necessary to involve the Cybersecurity and Infrastructure Security Agency.
CISA would be required to share vulnerability information with MITRE Common Vulnerabilities and Exposures (CVE) database and the National Institute of Standards and Technology National Vulnerability Database.
Moving Forward
Lieu is not a member of the House Oversight and Accountability Committee to which the bill was assigned for consideration. This means that there is probably not sufficient influence to see the bill considered in Committee. I see nothing in the bill that would engender any organized opposition. I suspect that there would be sufficient bipartisan support that the bill could move to the House floor under the suspension of the rules process.
Commentary
While the definition of ‘information technology’ used in this bill is broadly enough written to include control systems and operational technologies, there is an interesting shortcoming; it only applies to “the equipment [that] is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use” of the equipment. It specifically excludes any equipment acquired by a federal contractor incidental to a federal contract.” Thus, devices networked to ‘federally required equipment’ need not be included in the required VDP.