WASHINGTON – Today, Congressman Ted W. Lieu (D-Los Angeles) introduced the Improving Contractor Cybersecurity Act, legislation that would amend the federal contracts title to require vendors that wish to do business with the United States Government to maintain vulnerability disclosure policies and programs. In 2020, the Department of Homeland Security (DHS) issued Binding Operational Directive 20-01, which directed agencies to develop and publish vulnerability disclosure policies (VDPs). VDPs are a useful tool that allows security researchers to safely scour networks and report vulnerabilities to an entity before they become a problem. Unfortunately, as multiple high-profile security incidents have made clear, the Government does not take the same approach to third-party vendor/contractor security. There is no statutory requirement that software vendors maintain VDPs, which would help prevent network breaches and data exfiltration.
“I have long been a supporter of vulnerability disclosure policies and programs (VDPs) in both the federal government and private sector,”said Rep. Lieu. “They allow security researchers to find software vulnerabilities and notify owners before they can be exploited by bad actors. The Department of Homeland Security already requires federal agencies to maintain VDPs because leaders in government recognize VDPs are one of our best chances at stopping cyberattacks before they happen. There is no reason government contractors shouldn’t also be asked to maintainvulnerability disclosurepolicies, given the complex web of third-party vendors on which the United States relies.I am pleased that the Biden administration also recognizes this need, and mentioned VDPs in its recent Executive Order as one way to shore up federal cybersecurity.I am proud to introduce the Improving Contractor Cybersecurity Act and am grateful to the many security researchers, think tank experts, and members of industry who provided valuable feedback as we crafted this commonsense legislation.”
The Improving Contractor Cybersecurity Act is supported by: Institute for Critical Infrastructure Technology (ICIT); HackerOne; the Electronic Privacy Information Center; Christopher Painter (former State Department Coordinator for Cyber Issues under President Obama); Paul Rosenzweig (former Deputy Assistant Secretary for Policy at DHS under President George W. Bush); Beau Woods, Cyber Safety Innovation Fellow at the Atlantic.
The following released a statement in support of the bill:
“Software is ubiquitous in the United States government’s supply chain, and security vulnerabilities are inherent to software. It takes an army to allies to outsmart the army of adversaries looking to find these flaws. The continued adoption of vulnerability disclosure programs by the US Government engages the ever-present help of hackers acting in good faith to do just this.”– Casey John Ellis, BugCrowd Founder/Chairman/CTO
“Reports of cybersecurity vulnerabilities inoculate against adversaries who would use them to do harm. Companies with mature software development programs recognize this and accept reports from security researchers acting in good faith through coordinated vulnerability disclosure programs.”– Beau Woods, Cyber Safety Innovation Fellow at the Atlantic Council
“Vulnerability discovery and responsible disclosure of the kind championed by this bill is a foundational part of a more secure cyber ecosystem and helping to prevent malicious actor’s exploiting our government and private sector systems.”– Chris Painter, former State Dept. Coordinator for Cyber Issues and former Senior Director for Cyber Policy at the National Security Council
“Representative Lieu’s bill on vulnerability disclosure programs for contractors is a commonsense expansion of an important concept that is already used inside the government. It is the first, significant step in an important discussion whose timeliness is made apparent by recent breaches that appear to have compromised critical government IT systems. The Lieu bill deserves Congress’s careful and prompt consideration.” – Paul Rosenzweig, Senior Fellow, R Street Institute and former Deputy Assistant Secretary for Policy, DHS