Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 118th Congress · H.R. 5255 (Introduced in House) — To require covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines, and for o... · Sec. 2

Sec. 2. Federal contractor vulnerability disclosure policy

695 words·~3 min read·/bill/118/hr/5255/ih/section-2

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Not later than 180 days after the date of the enactment of this Act, the Director of the Office of Management and Budget, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Director of the National Institute of Standards and Technology, and any other appropriate head of an Executive department, shall review the Federal Acquisition Regulation contract requirements and language for contractor vulnerability disclosure programs and recommend updates to such requirements and language to the Federal Acquisition Regulation Council.
The recommendations shall include updates to such requirements designed to ensure that covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines for contractors as required under section 5 of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3c; Public Law 116–207 ). Not later than 60 days after the date on which the recommended contract language developed pursuant to subsection
(a)is received, the FAR Council shall review the recommended contract language and update the FAR as necessary to incorporate requirements for covered contractors to receive information about a potential security vulnerability relating to an information system owned or controlled by a contractor. The update to the FAR pursuant to subsection
(b)shall— to the maximum extent practicable, be aligned with the NIST guidelines and OMB implementation for contractors as required under sections 5 and 6 of the IoT Cybersecurity Improvement Act of 2020 ( Public Law 116–207 ; 15 U.S.C. 278g–3c and 278g–3d); to the maximum extent practicable, be aligned with industry best practices and Standards 29147 and 30111 of the International Standards Organization (or any successor standard) or any other appropriate, relevant, and widely used standard; and not apply to contractors whose contracts are in amounts not greater than the simplified acquisition threshold. Consistent with section 7(b) of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3e(b)), the Chief Information Officer of an Executive department may waive the vulnerability disclosure policy requirement under subsection
(b)if the Chief Information Officer determines that the waiver is necessary in the interest of national security or research purposes. Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall review the Department of Defense Supplement to the Federal Acquisition Regulation contract requirements and language for contractor vulnerability disclosure programs and develop updates to such requirements designed to ensure that covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines for contractors as required under section 5 of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3c; Public Law 116–207 ). Not later than 60 days after the date on which the review required under subsection
(a)is completed, the Secretary shall revise the DFARS as necessary to incorporate requirements for covered contractors to receive information about a potential security vulnerability relating to an information system owned or controlled by a contractor. The Secretary shall ensure that the revision to the DFARS described in this subsection is carried out in accordance with the requirements of paragraphs (1), (2), and
(3)of subsection (c). The Chief Information Officer of the Department of Defense may waive the security vulnerability disclosure requirements under paragraph
(2)if the Chief Information Officer determines that the waiver is necessary in the interest of national security or research purposes. In this section: The term covered contractor means a contractor (as defined in section 7101 of title 41, United States Code) whose contract is in an amount the same as or greater than the simplified acquisition threshold. The term DFARS means the Department of Defense Supplement to the Federal Acquisition Regulation. The term Executive department has the meaning given that term in section 101 of title 5, United States Code. The term FAR means the Federal Acquisition Regulation. The term NIST means the National Institute of Standards and Technology. The term OMB means the Office of Management and Budget. The term security vulnerability has the meaning given that term in section 2200 of the Homeland Security Act of 2002 ( 6 U.S.C. 650 ). The term simplified acquisition threshold has the meaning given that term in section 134 of title 41, United States Code.
Connectionstraces to 2
2 references not yet in our index
  • 15 USC 278g–3c
  • 15 USC 278g–3e(b)
Citation graph
cites case law
Sec. 2
Federal contractor vulnerability disclosure policy
Pub. L.Public Law 116-207
U.S.C.§ 650
Cite15 USC 278g–3c
Cite15 USC 278g–3e(b)
Cites 4Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.