WASHINGTON — U.S. Sens. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, and James Lankford (R-OK), a member of the Senate Committee on Homeland Security & Governmental Affairs, have introduced the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025, legislation to strengthen federal cybersecurity by ensuring that federal contractors adhere to guidelines set forth by the National Institute of Standards and Technology (NIST).

Vulnerability Disclosure Policies (VDP) provide a way for organizations to receive unsolicited reports of vulnerabilities within their software so that they can be patched before an attack takes place. Receiving reports on suspected security vulnerabilities in information systems is one of the best ways for developers and services to become aware of issues. Currently, civilian federal agencies are required to have VDPs, however there is no requirement for federal contractors – civilian or defense – to have VDPs for the information systems used in the fulfillment of their contracts. This legislation would require the implementation of VDPs among federal contractors and formalize actions to accept, assess, and manage vulnerability disclosure reports in order to help reduce known security vulnerabilities among federal contractors.

“Vulnerability Disclosure Policies are crucial tools to help ensure that the federal government is operating using safe cybersecurity practices. This legislation will ensure that companies doing business with the federal government are held to the same standards, better securing the entire supply chain and protecting our national security,” Sen. Warner said.

“Federal agencies and contractors must be quickly made aware of cyber vulnerabilities, so they can resolve them. By strengthening cybersecurity efforts, contractors and agencies can keep their focus on serving the American people and keep data and systems safe from cybercrimes and hacking,” Sen. Lankford said.

Specifically, the Federal Contractor Cybersecurity Vulnerability Reduction Act would require the Office of Management and Budget (OMB) to oversee updates to the Federal Acquisition Regulation (FAR) to ensure federal contractors implement a vulnerability disclosure policy consistent with what is already required by federal agencies. 

Sens. Warner and Lankford originally introduced this bipartisan legislation last year. As a leader in the cybersecurity realm, Sen. Warner has led numerous legislative efforts to protect the economic prosperity, national security, and democratic institutions of the United States, Sen. Warner cofounded the bipartisan Senate Cybersecurity Caucus in 2016.  A year later, in 2017, he authored the Internet of Things (IoT) Cybersecurity Improvement Act. This legislation, signed into law by President Donald Trump in December 2020, requires that any IoT device purchased with federal funds meet minimum security standards. As Chairman of the Senate Select Committee on Intelligence, Sen. Warner also co-authored legislation that was subsequently signed into law that requires companies responsible for U.S. critical infrastructure report cybersecurity incidents to the government.

“Palo Alto Networks applauds Senator Warner’s continued efforts to promote federal cyber resilience through the Federal Cybersecurity Vulnerability Reduction Act. This legislation has strong bipartisan support, and will benefit the entire cybersecurity ecosystem,” said Bruce Byrd, EVP and General Counsel of Palo Alto Networks.

“With cyberattacks by foreign adversaries and criminals on the rise, this legislation addresses a critical gap in our nation’s defenses,” said Ilona Cohen, chief legal and policy officer at HackerOne. “This common sense legislation brings the practices of federal contractors in line with those of the agencies they serve and is essential to protect the government information and personal data they process.”

A copy of the legislation is available here.

###