Lawmaker Wants to Require Cyber Vulnerability Disclosure Policies for Government Contractors
Rep. Ted Lieu has proposed legislation that would require federal government contractors to implement cybersecurity vulnerability disclosure policies and programs.
According to Lieu, the Improving Contractor Cybersecurity Act would strengthen cybersecurity in the government and private sector by mitigating risks in critical supply chains, Homeland Security Preparedness News reported.
“They allow security researchers to find software vulnerabilities and notify owners before they can be exploited by bad actors,” the lawmaker said about vulnerability disclosure policies.
Lieu noted that the Department of Homeland Security already requires government agencies to maintain risk disclosure policies, which he said are among the best preemptive measures against cyberattacks.
He said that vendors should be held to a similar standard as agencies because of the high complexity of the government contracting supply chain.
The National Institute of Standards and Technology plans to create a software vulnerability disclosure program for the federal government as mandated by 2020 legislation.
The Internet of Things Cybersecurity Improvement Act of 2020 requires the NIST director to publish guidelines for receiving, reporting, coordinating and publishing information related to security vulnerabilities in agency systems such as internet of things devices.
Kim Schaffer, an information technology specialist at NIST, said the agency is taking notes from guidelines already in place, including those at the Department of Defense and DHS.
In 2016, the Pentagon enacted a policy that provides security researchers a legal avenue to disclose vulnerabilities in any of the department’s public-facing systems.
DHS more recently released a directive titled “Improving Vulnerability Identification, Management and Remediation.” The policy requires agencies to implement vulnerability disclosure policies with clearly defined reporting mechanisms.
Tags: cybersecurity Department of Homeland Security DHS federal Homeland Security Preparedness News Improving Contractor Cybersecurity Ted Lieu VDP vulnerability disclosure program