Last month, Rep Mace (R,SC) introduced HR 5255, the Federal Cybersecurity Vulnerability Reduction Act of 2023. The bill would require the OMB and DOD to review Federal Acquisition Regulations (FAR) to ensure that covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines for contractors as required by 15 USC 278g–3c. No funding is authorized by this legislation.
Moving Forward
Mace is a member of the House Oversight and Accountability Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. I see nothing in this legislation that should engender any organized opposition. The bill should receive some level of bipartisan support if considered. I suspect that this bill would receive sufficient bipartisan support to allow it to be considered under the House suspension of the rules process when taken up by the full House.
Commentary
Interestingly, most of the requirements set forth in this bill are already incorporated in §278g–3c and §278g–3d in 15 USC. Specifically, the requirement to set appropriate FAR guidelines, is included in §278g-3d(d). Unfortunately, the timelines set forth in the two existing sections of 15 USC have passed without the required action taking place. I do not think that the setting of new timelines like we see in this bill will have any material impact on the acquisition regulations absent some specific new requirements. I would suggest that a §3 be added to the bill:
“SEC. 3. REPORT TO CONGRESS—The Director of the Office of Management and Budget will within 30 days of the enactment of this bill will provide a report to Congress on the reasons why the regulatory time limits in §278g–3c(a) and §278g–3d(a) have not been met. The report will include a timeline for the agency’s completing the requirements of the two subsections.”
For more details about the provisions of the bill, see my
article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5255-introduced
- subscription required.
No comments:
Post a Comment