Congresswoman Nancy Mace Reintroduces Bipartisan Bill to Strengthen Federal Contractor Cybersecurity

January 31, 2025
Press Release

(Washington, D.C., January 31st, 2025) – Congresswoman Nancy Mace (R-SC), Chair of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation, has reintroduced the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025—a bipartisan effort to close a critical loophole in federal cybersecurity standards. This bill would require the Office of Management and Budget (OMB) and the Department of Defense (DoD) to update federal acquisition policies to mandate all federal contractors, both civilian and defense, implement vulnerability disclosure policies (VDPs).

Cosponsored by Rep. Shontel Brown (D-OH), this legislation builds upon existing federal agency requirements by extending them to federal contractors. Vulnerability disclosure policies provide a clear framework for good-faith researchers to report security vulnerabilities before they can be exploited by cybercriminals, reducing the risk of cyberattacks targeting government contractors.

“This is a matter of national security,” said Congresswoman Nancy Mace. “Federal contractors handle some of the most sensitive information and critical infrastructure in the country. Without basic vulnerability disclosure policies, we are leaving a gaping hole in our cybersecurity defenses. This bipartisan bill ensures contractors uphold the same cybersecurity standards as federal agencies, reducing risks before they turn into catastrophic breaches.”

“Cybersecurity isn’t optional, it’s essential. To ensure that our systems are fully secure, we need to make sure federal contractors follow national guidelines to protect digital infrastructure. I’m proud to join Rep. Mace on this bipartisan legislation to require Vulnerability Disclosure Policies for contractors so that we can better protect sensitive data from malicious actors,” said Congresswoman Shontel Brown (OH-11). 

Federal agencies are already required to have vulnerability disclosure policies, but federal contractors—who often manage vast amounts of sensitive government data—are not. This legislation corrects this gap by mandating federal contractors to adhere to cybersecurity standards set by the National Institute of Standards and Technology (NIST). 

The Federal Contractor Cybersecurity Vulnerability Reduction Act was originally introduced last August by Congresswoman Mace in the House and later taken up in the Senate by Senators Mark Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, and James Lankford (R-OK).

Under the bill, the Office of Management and Budget (OMB) will oversee updates to the Federal Acquisition Regulation (FAR) to enforce vulnerability disclosure requirements for civilian contractors. Similarly, the Secretary of Defense will ensure the Defense Federal Acquisition Regulation Supplement (DFARS) enforces these requirements among defense contractors.

This bill is part of a broader effort led by Congresswoman Mace to modernize and secure federal IT systems from potential cyberattacks. By requiring contractors to establish and maintain cybersecurity policies, the legislation moves the federal government closer to a proactive, rather than reactive, approach to cybersecurity threats.

For inquiries, please contact SC01Press@mail.house.gov

###

 

 

Issues:Cybersecurity
Washington, DC Office
1728 Longworth House Office Building
Washington, DC  20515
Phone: (202) 225-3176
Beaufort Office
710 Boundary Street
Beaufort, SC  29902
Phone: (843) 521-2530
Daniel Island Office
900 Island Park Drive Suite 260
Daniel Island, SC  29492
Phone: (843) 352-7572