Sec. 1747. Federal contractor vulnerability disclosure policy
814 words·~4 min read·
/bill/118/hr/8070/eh/section-1747A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Not later than 180 days after the date of the enactment of this Act, the Director of the Office of Management and Budget, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Director of the National Institute of Standards and Technology, and any other appropriate head of an Executive department, shall— review the Federal Acquisition Regulation contract requirements and language for contractor vulnerability disclosure programs; and recommend updates to such requirements and language to the Federal Acquisition Regulation Council. The recommendations required by paragraph
(1)shall include updates to such requirements designed to ensure that covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines for contractors as required under section 5 of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3c; Public Law 116–207 ). Not later than 180 days after the date on which the recommended contract language developed pursuant to subsection
(a)is received, the Federal Acquisition Regulation Council shall review the recommended contract language and update the FAR as necessary to incorporate requirements for covered contractors to receive information about a potential security vulnerability relating to an information system owned or controlled by a contractor, in performance of the contract. The update to the FAR pursuant to subsection
(b)shall— to the maximum extent practicable, align with the security vulnerability disclosure process and coordinated disclosure requirements relating to Federal information systems under sections 5 and 6 of the IoT Cybersecurity Improvement Act of 2020 ( Public Law 116–207 ; 15 U.S.C. 278g–3c and 278g–3d); and to the maximum extent practicable, be aligned with industry best practices and Standards 29147 and 30111 of the International Standards Organization (or any successor standard) or any other appropriate, relevant, and widely used standard. The head of an agency may waive the security vulnerability disclosure policy requirement under subsection
(b)if— the agency Chief Information Officer determines that the waiver is necessary in the interest of national security or research purposes; and if, not later than 30 days after granting a waiver, such head submits a notification and justification (including information about the duration of the waiver) to the Committee on Oversight and Accountability of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate. Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall review the Department of Defense Supplement to the Federal Acquisition Regulation contract requirements and language for contractor vulnerability disclosure programs and develop updates to such requirements designed to ensure that covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines for contractors as required under section 5 of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3c; Public Law 116–207 ). Not later than 180 days after the date on which the review required under subsection
(a)is completed, the Secretary shall revise the DFARS as necessary to incorporate requirements for covered contractors to receive information about a potential security vulnerability relating to an information system owned or controlled by a contractor, in performance of the contract. The Secretary shall ensure that the revision to the DFARS described in this subsection is carried out in accordance with the requirements of paragraphs
(1)and
(2)of subsection (c). The Chief Information Officer of the Department of Defense may waive the security vulnerability disclosure policy requirements under paragraph
(2)if the Chief Information Officer— determines that the waiver is necessary in the interest of national security or research purposes; and not later than 30 days after granting a waiver, submits a notification and justification (including information about the duration of the waiver) to the Committees on Armed Services of the House of Representatives and the Senate. In this section: The term agency has the meaning given the term in section 3502 of title 44, United States Code. The term covered contractor means a contractor (as defined in section 7101 of title 41, United States Code)— whose contract is in an amount the same as or greater than the simplified acquisition threshold; or that uses, operates, manages, or maintains a Federal information system (as defined by section 11331 of title 40, United Stated Code) on behalf of an agency. The term DFARS means the Department of Defense Supplement to the Federal Acquisition Regulation. The term Executive department has the meaning given that term in section 101 of title 5, United States Code. The term FAR means the Federal Acquisition Regulation. The term NIST means the National Institute of Standards and Technology. The term OMB means the Office of Management and Budget. The term security vulnerability has the meaning given that term in section 2200 of the Homeland Security Act of 2002 ( 6 U.S.C. 650 ). The term simplified acquisition threshold has the meaning given that term in section 134 of title 41, United States Code.
Connectionstraces to 2
Traces to 2 documents
U.S. Code
1 reference not yet in our index
- 15 USC 278g–3c
Citation graph
cites case law
Sec. 1747
Federal contractor vulnerability disclosure policy
Cite15 USC 278g–3c
Cites 3Cited by 0 across 0 sources