Last month, Rep Lieu (D,CA) introduced HR 5310, the Improving Contractor Cybersecurity Act. The bill would require federal contractors to have a vulnerability disclosure program (VDP). While similar in intent to HR 5255, the Federal Cybersecurity Vulnerability Reduction Act of 2023, introduced by Rep Mace (R,SC), it does not require any modifications to the Federal Acquisition Regulations (FAR) to enforce the requirements. No funding is authorized in the legislation.
The bill would amend Chapter 47, of division C, of subtitle I, of 41 USC, adding a new §4715, Vulnerability disclosure policy and program required.
Moving Forward
Lieu is not a member of the House Oversight and Accountability Committee to which the bill was assigned for consideration. This means that there is probably not sufficient influence to see the bill considered in Committee. I see nothing in the bill that would engender any organized opposition. I suspect that there would be sufficient bipartisan support that the bill could move to the House floor under the suspension of the rules process.
Commentary
While the definition of ‘information
technology’ used in this bill is broadly enough written to include control
systems and operational technologies, there is an interesting shortcoming; it
only applies to “the equipment [that] is used by the executive agency directly
or is used by a contractor under a contract with the executive agency that
requires the use” of the equipment. It specifically excludes any “equipment
acquired by a federal contractor incidental to a federal contract.” Thus,
devices networked to ‘federally required equipment’ need not be included in the
required VDP.
For more details about the provisions of this bill, see my
article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5310-introduced
- subscription required.
Posts
No comments:
Post a Comment