Rep. Mace proposes new vulnerability disclosure rules for contractors

The Federal Cybersecurity Vulnerability Reduction Act will set requirements pushing federal contractors to employ vulnerability disclosure policies.
Chairwoman Nancy Mace (R-SC) speaks before a House hearing at the US Capitol on June 22, 2023 in Washington, DC. The House Committee on Oversight and Accountbility Subcommittee on Cybersecurity, Information Technology, and Government Innovation met to discuss the use of technology at the US Border, airports and military bases. (Photo by Tasos Katopodis/Getty Images)

Rep. Nancy Mace, R-S.C., has proposed new legislation that would expand for contractors the use of vulnerability disclosure policies, a formalized way for people to share observed or potential cybersecurity flaws with an organization.

While the Office of Management and Budget instructed federal agencies to implement VDPs back in 2020, this latest proposal, the Federal Cybersecurity Vulnerability Reduction Act, focuses on pushing federal contractors to do the same. The bill comes as there’s a growing focus being placed on securing sensitive federal information housed on contractor-owned systems through initiatives like the Pentagon’s Cybersecurity Maturity Model Certification.

The legislation orders OMB, along with the directors of the National Institute for Standards and Technology and the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, to recommend new requirements to the Federal Acquisition Regulation Council, which helps coordinate the government’s approach to procurement. Those updates, the legislation proposes, should include VDPs consistent with NIST guidelines.

The legislation also stipulates that chief information officers may waive VDP requirements if doing so is necessary in the interest of national security or research. The bill also outlines specific responsibilities for the Department of Defense.


In its 2020 memo, OMB said that VDPs “are among the most effective methods for obtaining new insights regarding security vulnerability information and provide high return on investment.” In particular, the agency noted that this approach provides protection to those who report vulnerabilities — and helps differentiate between “good faith” researchers and those using “unacceptable” methods.

Organizations often use VDPs as a starting point to launch bounty programs, in which they pay cybersecurity researchers to report vulnerabilities found in their systems. The Pentagon has employed a VDP since 2016 and hosted numerous bug bounty efforts.

“When federal contractors can effectively address security vulnerabilities, every U.S. citizen will be better protected against cyberattacks,” said Marten Mickos, the CEO of HackerOne, a cybersecurity firm supporting the legislation, in a statement shared with FedScoop.

Rebecca Heilweil

Written by Rebecca Heilweil

Rebecca Heilweil is a technology reporter for FedScoop, where she covers topics including space, transportation, quantum computing and disaster management. Previously she was a reporter at Recode/Vox, and has written for publications including Fortune, Slate, The Wall Street Journal and the Philadelphia Inquirer. You can reach her at

Latest Podcasts