The H.R. 872 Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 is a bill that aims to enhance cybersecurity measures for federal contractors. It requires revisions to acquisition regulations related to information systems vulnerabilities for certain federal contractors. These revisions apply to contractors whose contracts are at or above the simplified acquisition threshold ($250,000 in most cases) or those that use, operate, manage, or maintain a federal information system on behalf of an agency1.
Under this bill, the Office of Management and Budget (OMB) must review the Federal Acquisition Regulation (FAR) and recommend updated contract requirements and language for contractor vulnerability disclosure programs. These programs establish processes for identifying, reporting, and mitigating information system vulnerabilities discovered by security researchers, software developers, and others. The recommendations must include requirements to ensure that such contractors implement vulnerability disclosure policies consistent with guidelines from the National Institute of Standards and Technology (NIST)1.
The Federal Acquisition Regulation Council must review these recommendations and update the FAR as necessary to incorporate requirements for contractors to receive information about potential security vulnerabilities in contractor information systems used in the performance of the contract. The Department of Defense (DoD) must conduct a similar review and update regulations with respect to the DoD Supplement to the FAR1.
The bill has passed the House and is currently in committee with the Senate1. It emphasizes the importance of cybersecurity measures and compliance with NIST guidelines to ensure the security and integrity of federal information systems2.
The post H.R. 872 Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 passes house appeared first on Nimbus Logic LLC.