Monday, September 25, 2023

Review - HR 5310 Introduced – Contractor VDP

Last month, Rep Lieu (D,CA) introduced HR 5310, the Improving Contractor Cybersecurity Act. The bill would require federal contractors to have a vulnerability disclosure program (VDP). While similar in intent to HR 5255, the Federal Cybersecurity Vulnerability Reduction Act of 2023, introduced by Rep Mace (R,SC), it does not require any modifications to the Federal Acquisition Regulations (FAR) to enforce the requirements. No funding is authorized in the legislation.

The bill would amend Chapter 47, of division C, of subtitle I, of 41 USC, adding a new §4715, Vulnerability disclosure policy and program required.

Moving Forward

Lieu is not a member of the House Oversight and Accountability Committee to which the bill was assigned for consideration. This means that there is probably not sufficient influence to see the bill considered in Committee. I see nothing in the bill that would engender any organized opposition. I suspect that there would be sufficient bipartisan support that the bill could move to the House floor under the suspension of the rules process.


While the definition of ‘information technology’ used in this bill is broadly enough written to include control systems and operational technologies, there is an interesting shortcoming; it only applies to “the equipment [that] is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use” of the equipment. It specifically excludes any “equipment acquired by a federal contractor incidental to a federal contract.” Thus, devices networked to ‘federally required equipment’ need not be included in the required VDP.


For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */