Senators Mark Warner (D-Va.) and James Lankford (R-Okla.) have reintroduced the Federal Contractor Cybersecurity Vulnerability Reduction Act. This bipartisan legislation aims to require federal government contractors to adopt vulnerability disclosure policies (VDPs) that align with the standards set by the National Institute of Standards and Technology (NIST).
The reintroduction follows progress in the House of Representatives, where a companion bill was introduced by Reps. Nancy Mace (R-S.C.) and Shontel Brown (D-Ohio) passed in March 2025. The House version had been reintroduced in January and gained traction. In the Senate, the bill previously advanced out of the Homeland Security and Governmental Affairs Committee in November 2024 but failed to receive a full floor vote.
Vulnerability Disclosure Policies to Ensure Accountability in the Federal Supply Chain
The central goal of the legislation is to ensure that federal contractors are subject to the same legal cybersecurity requirements as federal agencies. Under the proposed bill, contractors would be obligated to implement VDPs per NIST guidance. These policies provide a structured method for ethical hackers and security researchers to report software vulnerabilities, enabling organizations to address weaknesses before they can be exploited by malicious actors.
“VDPs are crucial tools to help ensure that the federal government is operating using safe cybersecurity practices,” Senator Warner stated in a press release. “This legislation will ensure that companies doing business with the federal government are held to the same standards, better securing the entire supply chain and protecting our national security.”
Senator Lankford echoed the sentiment, stressing the urgency of proactive security measures. “Federal agencies and contractors must be quickly made aware of cyber vulnerabilities, so they can resolve them. By strengthening cybersecurity efforts, contractors and agencies can keep their focus on serving the American people and keep data and systems safe from cybercrimes and hacking,” he said.
Oversight, Implementation, and Industry Support
The proposed legislation also mandates oversight from key federal bodies. The Office of Management and Budget (OMB) would be tasked with monitoring updates to the Federal Acquisition Regulation (FAR) to verify that contractors are implementing VDPs in line with NIST standards. Similarly, the Secretary of Defense would oversee updates to the Defense Federal Acquisition Regulation Supplement (DFARS) for defense-related contracts.
Industry leaders have voiced strong support for the initiative. Bruce Byrd, executive vice president and general counsel at Palo Alto Networks, described the bill as one that would “promote federal cyber resilience” and “benefit the entire cybersecurity ecosystem.”
Ilona Cohen, chief legal and policy officer at HackerOne, highlighted the legislation’s importance in addressing systemic cybersecurity gaps. “This common-sense legislation brings the practices of federal contractors in line with those of the agencies they serve and is essential to protect the government information and personal data they process,” Cohen stated.
