Review - HR 872 Introduced – Contractor VDP

Last month, Rep Mace (R,SC) introduced HR 872, the Federal Cybersecurity Vulnerability Reduction Act of 2023. The bill would require the OMB and DOD to review Federal Acquisition Regulations (FAR) to ensure that covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines for contractors as required by 15 USC 278g–3c. No funding is authorized by this legislation.

Note: The version of HR 872 linked to above is a committee print of a revised version of the bill that will be considered today under the House suspension of the rules process. The GPO has not yet published the introduced version of the bill. There are no paragraph-links available in the committee print, so I will be providing old style paragraph descriptions for quoted materials.

NOTE: Corrected two instances of type-disclexia in the bill number in each of the first two paragraphs. March 3rd, 2025 10:00 EST.

This bill is a substantial re-write of HR 5255 introduced by Mace in August of 2023, though the basic provisions remain the same. The House Oversight and Accountability Committee held a business meeting on May 15^th, 2024 that included consideration of this bill. The bill was ordered reported favorably by a vote of 42 to 0. The Committee report has not been published, nor has a reported version of the bill.

Moving Forward

The House is scheduled to consider the modified version of HR 872 this afternoon under the suspension of the rules process. That process limits debate, prohibits floor amendments to the bill, and requires a supermajority for passage. This bill will almost certainly pass with wide bipartisan support.

 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-872-introduced - subscription required.

Review - S 5028 Introduced – Contractor VDP

Last month Sen Warner (D,VA) introduced S 5028, the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024. The bill would require changes to the Federal Acquisition Regulations to require federal contractors to have a vulnerability disclosure program. No new funding is authorized by this legislation.

This bill is very similar in intent to HR 5310 and HR 5255. The major difference between this bill and the other two is that the Senate bill is focused on the FAR as the mechanism for requiring contractors to have a vulnerable disclosure program. There has been no action taken on HR 5310, but HR 5255 was amended and ordered favorably reported back in May. That report has not yet been published.

Moving Forward

While Warner is not a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned, his sole cosponsor {Lankford (R,OK)} is a member. This means that there may be sufficient influence to see the bill considered in Committee. Beyond the increased regulation of contractors which some elements of the Republican fringe have a knee-jerk opposition to, I see nothing that would cause any organized opposition to this bill. I suspect that this bill would receive some level of bipartisan support in Committee.

 

For more information about the provisions of the bill, as well as more discussion about it’s prospects, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-5028-introduced - subscription required.

Committee Hearings – Week of 5-13-24

This week, with both the House and Senate in session, there is a relatively busy hearing schedule. FY 2025 budget hearings continue in the oversight committees. There is one markup hearing of note, a Chinese security risk hearing and UAS use hearing.

Budget Hearings

	House	Senate
EPA	EC Subcommittee
TSA	HS Subcommittee
NTIA	EC Subcommittee
DOD Acquisitions		APP Subcommittee

Note: There is a problem with the links to the Senate Appropriations Committee this morning.

Markup Hearing

On Wednesday, the House Oversight and Accountability Committee will hold a markup hearing to consider six bills and three postal naming bills. The one bill of specific interest here is:

HR 5255: "To require covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines, and for other purposes."

Chinese Threat Hearing

On Wednesday the Cybersecurity, Information Technology, and Government Innovation Subcommittee of the House Oversight and Accountability Committee will hold a hearing on “Red Alert: Countering the Cyberthreat from China”. The witness list includes:

• Charles Carmakal, Mandiant,

• William Evanina, Former Director of the National Counterintelligence and Security Center,

• Rob Joyce, Former Special Assistant to the President and White House Cyber Security Coordinator,

• Steven M. Kelly, Institute for Security and Technology

Expect some FUD pointing by committee members.

UAS Uses

On Thursday the Subcommittee on Emergency Management and Technology, and the Subcommittee on Counterterrorism, Law Enforcement, and Intelligence, both of the House Homeland Security Committee will hold a joint hearing on “Unmanned Aerial Systems: An Examination of the Use of Drones in Emergency Response”. No witness list is currently available.

Without a witness list it is hard to tell, but there is a possibility that UAS cybersecurity issues could be part of this topic.

On the Floor

The House will consider a relatively large number of bills on Tuesday (votes lasting through Wednesday) under their suspension of the rules process this week. Of interest here, this will include:

HR 4510 – NTIA Reauthorization Act of 2024, as amended,

HR 7659 – Coast Guard Authorization Act of 2024, as amended, and

Senate Amendment to HR 3935 – FAA Reauthorization Act of 2024.

Review - HR 5255 Introduced – Contractor VDP

Last month, Rep Mace (R,SC) introduced HR 5255, the Federal Cybersecurity Vulnerability Reduction Act of 2023. The bill would require the OMB and DOD to review Federal Acquisition Regulations (FAR) to ensure that covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines for contractors as required by 15 USC 278g–3c. No funding is authorized by this legislation.

Moving Forward

Mace is a member of the House Oversight and Accountability Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. I see nothing in this legislation that should engender any organized opposition. The bill should receive some level of bipartisan support if considered. I suspect that this bill would receive sufficient bipartisan support to allow it to be considered under the House suspension of the rules process when taken up by the full House.

Commentary

Interestingly, most of the requirements set forth in this bill are already incorporated in §278g–3c and §278g–3d in 15 USC. Specifically, the requirement to set appropriate FAR guidelines, is included in §278g-3d(d). Unfortunately, the timelines set forth in the two existing sections of 15 USC have passed without the required action taking place. I do not think that the setting of new timelines like we see in this bill will have any material impact on the acquisition regulations absent some specific new requirements. I would suggest that a §3 be added to the bill:

“SEC. 3. REPORT TO CONGRESS­—The Director of the Office of Management and Budget will within 30 days of the enactment of this bill will provide a report to Congress on the reasons why the regulatory time limits in §278g–3c(a) and §278g–3d(a) have not been met. The report will include a timeline for the agency’s completing the requirements of the two subsections.”

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5255-introduced - subscription required.

Bills Introduced – 8-22-23

Yesterday, with the House and Senate meeting in pro forma session, there were 24 bills introduced. One of those bills will receive additional attention in this blog:

HR 5255 To require covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines, and for other purposes.  Mace, Nancy [Rep.-R-SC-1]