Back in February Rep Lieu (D,CA) introduced HR 1258, the Improving Contractor Cybersecurity Act. The bill would require federal contractors to have a vulnerability disclosure program (VDP). No new funding is provided.
The bill is essentially the same as HR 5310 that was introduced by Liew in August, 2023. No action was taken on that bill in the 118th Congress.
The bill would amend Chapter 47, of division C, of subtitle I, of 41 USC, adding a new §4715, Vulnerability disclosure policy and program required.
Moving Forward
Lieu is not a member of the House Oversight and Government Reform Committee to which this bill was assigned for consideration. This means that there is probably not sufficient influence for the bill to be considered in Committee, the same problem that Lieu had with HR 5310 in the 118th Congress. I suspect that there would be some Republicans that would oppose this bill as an unneeded, and potentially expensive, requirement for federal contractors. While there may possibly be sufficient bipartisan support for this bill to pass in Committee, I am not sure that there would be the necessary leadership interest to see this bill move forward.
Commentary
While the definition of ‘information
technology’ used in this bill is broadly enough written to include
control systems and operational technologies, there is an interesting
shortcoming; it only applies to “the equipment [that] is used by the executive
agency directly or is used by a contractor under a contract with the executive
agency that requires the use” of the equipment. It specifically excludes any
equipment acquired by a federal contractor incidental to a federal contract.”
Thus, devices networked to ‘federally required equipment’ need not be included
in the required VDP.
For more information on the provisions of this bill, see my
article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-1258-introduced
- subscription required.
Posts
No comments:
Post a Comment