The bill directs the federal government to update the contract language governing vulnerability disclosure by contractors. Within 180 days of enactment, the Director of the Office of Management and Budget, in consultation with the CISA, the National Cyber Director, the National Institute of Standards and Technology, and other agency heads, must review current FAR requirements and propose updates to the FAR Council.
After the recommendations are submitted, the FAR Council has 180 days to amend the FAR so that covered contractors must solicit and address information about potential security vulnerabilities in information systems used to perform federal contracts. The update is designed to align with NIST guidelines (as referenced by the IoT Cybersecurity Improvement Act) and with widely used ISO standards where practicable.
The act also provides a narrow waiver mechanism for national security or research reasons, requires disclosures to Congress on waived cases, and explicitly states that no additional funding is authorized. The bill defines who is a covered contractor and what constitutes a security vulnerability, anchoring the policy in established procurement and cybersecurity frameworks.
At a Glance
What It Does
Updates FAR contract language to require vulnerability disclosure programs for covered contractors, aligned with NIST guidelines and ISO standards where practicable.
Who It Affects
Covered contractors (contracts at or above the simplified acquisition threshold) and agencies that manage these contracts, including procurement and IT security offices.
Why It Matters
Creates a standardized vulnerability disclosure process across the federal contractor base, improving detection, reporting, and remediation of security gaps in systems used for federal work.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The core aim of the bill is to anchor a vulnerability disclosure policy for federal contractors within the federal procurement framework. It begins with a mandated review of existing FAR language by senior federal officials to assess how vulnerability information is solicited and handled today.
The review process requires input from the Executive Office, cybersecurity agencies, and standards bodies before proposing updates to the FAR Council. Once the recommendations are ready, the FAR Council is tasked with amending the FAR to require contractors to actively solicit and address information about security vulnerabilities in information systems connected to federal contracts.
The policy intentionally aligns with established guidance, drawing from NIST’s vocabulary and processes and importing IoT Act and ISO 29147/30111 practices where feasible. A separate waiver mechanism allows agency CIOs to grant waivers for national security or research needs, with a post-waiver congressional notification.
The bill stops short of authorizing new funding, signaling that reforms must ride on existing resources. In defining who counts as a covered contractor and what a security vulnerability means, the bill ties the scope to contract value thresholds and the use of information systems in contract performance.
This structure aims to create predictable expectations for contractors and procurement staff while laying groundwork for stronger cyber hygiene across the federal supply chain.
The Five Things You Need to Know
The act requires OMB, CISA, NIST, and other heads to review FAR language on vulnerability disclosure and propose updates to the FAR Council.
The FAR Council must amend the FAR within 180 days after receiving the recommended language to require covered contractors to solicit and address vulnerability information.
The update must align with IoT Cybersecurity Improvement Act provisions and ISO 29147/30111 where practicable.
AGENCY CIOs can waive the policy for national security or research reasons, with 30-day congressional notification.
No new funding is authorized to carry out the Act.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Recommendations to update FAR contract language
Not later than 180 days after enactment, the Director of the Office of Management and Budget, in consultation with CISA, the National Cyber Director, NIST, and other appropriate heads of executive departments, must review the FAR contract requirements and language for contractor vulnerability disclosure programs and recommend updates to the FAR Council. This creates a formal pathway to inject vulnerability disclosure expectations into procurement rules.
Procurement requirements—FAR amendment
Within 180 days after receiving the recommended language, the FAR Council shall review and amend the FAR to require covered contractors to solicit and address information about potential security vulnerabilities in information systems used in performance of federal contracts. The amendment embeds vulnerability reporting into the contractual lifecycle and performance oversight.
Elements and alignment with standards
The FAR update should, to the maximum extent practicable, align with the IoT Cybersecurity Improvement Act’s vulnerability disclosure processes (sections 5 and 6) and with ISO standards 29147 and 30111, or any successor of these standards, ensuring that policy and procedures reflect established industry and government best practices.
Waiver authority
The head of an agency may waive the security vulnerability disclosure policy if the CIO determines the waiver is necessary for national security or research purposes. The agency must notify Congress with justification and duration within 30 days of granting the waiver, maintaining transparency on exceptions.
Definitions
Key terms are defined to ground the policy: ‘Agency,’ ‘Covered Contractor,’ ‘Executive Department,’ ‘Security Vulnerability,’ and ‘Simplified Acquisition Threshold.’ The definitions tie coverage to agency procurement and information-system usage thresholds to avoid overreach.
No additional funding
The Act provides that no additional funds are authorized to carry out its provisions. This signals reliance on existing Departmental budgets and resources for implementing the revised FAR language and associated compliance activities.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- CIOs and IT security teams at covered contractors benefit from a clearer, standardized process for vulnerability reporting and remediation obligations.
- Federal contracting officers and procurement offices gain predictable requirements that can be evaluated against contract performance and risk management standards.
- Agency information security teams (CSOs/CISOs) receive a structured mechanism to identify, track, and remediate vulnerabilities in contractor-operated systems used for federal work.
- Security researchers and vulnerability disclosure platforms gain formal channels and guidance for responsible disclosure under a federal framework.
- Federal agencies’ oversight functions benefit from standardized reporting and reduced information gaps in contractor vulnerability data.
Who Bears the Cost
- Covered contractors incur costs to establish or upgrade vulnerability disclosure policies, reporting channels, staffing, and incident response processes.
- The FAR Council and procurement offices bear ongoing administrative costs to update, implement, and enforce the revised FAR language.
- Smaller contractors may face relatively higher per-contract compliance costs, potentially affecting bids and participation.
- Congress and agency oversight bodies may incur higher monitoring and reporting costs due to the waiver notifications and compliance checks under the act.
Key Issues
The Core Tension
The central dilemma is whether to impose a uniform, federally mandated vulnerability disclosure framework that could increase compliance costs and potential disclosure pressure on contractors, versus preserving agency flexibility in how vulnerabilities are reported and remediated under varying programmatic constraints.
The policy aims for a balance between enhanced cyber hygiene and administrative burden. By tying updates to existing standards and avoiding new funding, the bill relies on current agency capabilities to implement, communicate, and enforce the revised FAR provisions.
The reliance on international standards (ISO 29147/30111) and IoT Act alignment helps ensure interoperability but may require iterative calibration across agencies with different contracting ecosystems. A potential risk is inconsistent adoption across agencies or contractors, especially for smaller firms that may lack mature vulnerability disclosure programs.
The waiver mechanism introduces a degree of carve-out flexibility, but the criteria and notification requirements could be used narrowly, raising questions about coverage breadth during emergencies or sensitive research.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.