When you buy through affiliate links in our content, we may earn a commission at no extra cost to you. Learn 
In 2014 and 2015, two interconnected cyberattacks targeted and breached the U.S. Office of Personnel Management (OPM), a federal agency. Data, including social security numbers of 21.5 million people, were stolen.
Six years later, in 2021, the Colonial Pipeline ransomware attack crippled a major fuel pipeline, disrupting supply chains across the Eastern United States and indirectly impacting federal agencies.
And in 2023 the SolarWinds remote trojan attack affected about 100 organizations, driving a cyberespionage operation that targeted federal agencies and federal contractors.
The list of high-profile cyberattacks that impacted federal agencies is as extensive as it is concerning. In response, the government is pushing for a new vulnerability act that would mandate all federal contractors — vital contributors to the federal government supply chain — to deploy and maintain Vulnerability Disclosure Programs (VDPs).
Key Takeaways
- Vulnerability Disclosure Programs (VDPs) are essential for cybersecurity — but federal contractors face increased cybersecurity responsibilities
- The new U.S. legislation will mandate the deployment and management of VDPs for federal contractors.
- This is a shift towards a more proactive approach to addressing cyber threats.
- Our experts work out the nuances and effects of the new legislation.
- Show Full Guide
U.S. Gov. Goes Beyond Traditional Security
On August 9, U.S. senators Mark R. Warner (D-VA) and James Lankford (R-OK) announced the introduction of a bipartisan bill seeking tighter vulnerability disclosure rules for federal contractors.
The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 aims to mitigate the impact of cyberattacks by requiring federal contractors to adhere to the vulnerability disclosure guidelines set by the National Institute of Standards and Technology (NIST).
Bug bounty programs — similar to vulnerability disclosure programs but more specifically focused and offering financial rewards — have become extremely popular among big tech companies like Amazon, Google, Microsoft, OpenAI, and many others.
VDPs may not offer financial incentives but allow anyone, not just security researchers, ethical hackers, or penetration testers, to report bugs and vulnerabilities that attackers may exploit.
Despite VDP’s potential, the industry and federal contractors themselves have been slow to capitalize on them due to a poor understanding of how they work, their positive impact, and their costs.
Techopedia spoke with Ilona Cohen, Chief Legal and Policy Officer of HackerOne, to better understand the new Federal Contractor Cybersecurity Vulnerability Reduction Act and why it is important.
Cohen said that the bipartisan legislation addresses a critical gap in the nation’s cybersecurity protections.
“This proactive approach to security will ensure that businesses are actively protecting government systems, critical infrastructure, and sensitive data from exploitation by malicious actors.
“We applaud Senators Warner and Lankford for their leadership on this important issue.”
In a recent document (PDF), Senator Warner said that VDPs provide a way for organizations to receive unsolicited reports of vulnerabilities so that they can be patched.
Receiving reports on suspected security vulnerabilities in information systems is one of the best ways for developers and services to become aware of issues, the Senator said.
“This legislation will ensure that federal contractors, along with federal agencies, are adhering to national guidelines that will better protect our critical infrastructure and sensitive data from potential attacks.”
Why the New Law Pushes Federal Contractors (not Agencies) to Level Up
HackerOne explained to Techopedia that federal agencies have already been mandated and implemented VDP programs. But, not all government contractors have adopted VDPs of their own.
Federal contractors are an integral part of federal supply chains and infrastructure, and they pose a unique security risk given their proximity to government data and access to government networks.
Federal agencies were mandated in 2020 to implement vulnerability disclosure programs through the Office of Management and Budget memorandum M-20-324, and the Department of Homeland Security issued Binding Operational Directive 20-01.5.
Under the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024, the Office of Management and Budget (OMB) will oversee updates to the Federal Acquisition Regulation (FAR) to ensure federal contractors implement a vulnerability disclosure policy consistent with what is already required by federal agencies;
Under the law, the Secretary of Defense will also be required to oversee updates to the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements to ensure that defense contractors implement them.
“By requiring contractors to establish VDPs, good-faith security researchers can report identified vulnerabilities directly to the contractor, without requiring any additional reporting to a federal agency,”? Senator Warner said.
Is the New Act Fair for All Companies?
Techopedia also spoke with Jacob Kalvo, cybersecurity expert and Co-Founder and CEO of Live Proxies, a proxy network provider.???
“The Federal Contractor Cybersecurity Vulnerability Reduction Act was made on the back of the long trail of high-profile cyberattacks that swept across global domains in the aftermath of epic incidents, such as the SolarWinds breach and the Colonial Pipeline attack.”
Kalvo added that these cyberattacks exposed the weaknesses of federal contractors’ supply chains and information systems.
“These incidents highlighted the need for better cybersecurity measures throughout all civil and military sectors and unmasked failures by contractors to self-detect and self-correct vulnerabilities, being done for exploits by malevolent actors,” Kalvo said.
“Smaller companies might find it hard to marshal resources to meet these new requirements, creating barriers to entry for small businesses or raising costs for the federal government.”
Kalvo warned that rushed and rapid implementation may force quick or incomplete compliance and inadvertently introduce new security vulnerabilities.
“That will evidently overly weigh on small businesses and startups that hitch their wagons to federal government contracts,” Kalvo said.
“Though the bill has security intentions, it is likely to impact the smaller contractors more, and this could discourage them from awarding the federal government contracts, or it could make them relatively dependent on third parties in cybersecurity, hence adding to their operational expense.”
Additional challenges for federal contractors include restructuring IT and cybersecurity departments to meet the standards of full-fledged VDPs and alignment with NIST guidelines, as well as investment and costs. According to Kalvo, all these roadblocks could end up favoring only a few large companies operating in the market.
“This is a huge difference for many contractors, especially in the defense sector, where proactive and transparent cybersecurity practices mean not only financial investment but also a considerable cultural shift.”
Voting Machines, Government Communication Providers, Encryption Services, and Feasibility of the Act
Josh Schmidt of BPM, an assurance, advisory, tax, and Wealth Management company, also spoke to Techopedia about the Act and highlighted the role of federal contractors in the core processes of democracy.
“Certainly the most notable is the concern that Voting Machines were or can be tampered with, and these are provided by several (at least 10) contractors.”
“Other risks identified to federal systems (many provided by contracting services) are email services, cell phone services, and encryption services.”
Federal agencies rely on many outside companies for services like email and phone systems. These services often lack official security checks, leaving sensitive government information at risk of being stolen or compromised.
Schmidt agreed that small companies will see cost challenges but said that the price of doing business with a government includes being above scrutiny standards.
Tecopedia asked Schmidt how feasible it is for federal contractors to implement the mandated cybersecurity measures outlined in this legislation.
“It’s never easy for governments to do such. The intent and program are created, in most cases, without the knowledge of timeline or ability to meet timelines.”
The Bottom Line
Government back-end technology and front-end systems are subject to huge pressure today, given the increased cyber hostilities against governments and those working with them.
This bipartisan law should have probably come sooner, and yes, it may present some difficulties for small companies that want to be federal contractors and must meet this prerequisite. However, it is definitely a step forward that both the industry and the government need to take right now.
References
- Warner, Lankford Announce Legislation to Strengthen Federal Cybersecurity Measures, Implement Mandatory Vulnerability Disclosure Policies – Press Releases – Mark R. Warner (Warner.senate)
- Recommendations for Federal Vulnerability Disclosure Guidelines (Nvlpubs.nist)
- Ilona Cohen – HackerOne | LinkedIn (Linkedin)
- HackerOne | #1 Trusted Security Platform and Hacker Program (Hackerone)
- Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 (Warner.senate)
- BOD 20-01: Develop and Publish a Vulnerability Disclosure Policy | CISA (Cisa)
- Yakup Kalvo (Linkedin)
- Buy Private Residential & Mobile Proxy Solutions | Live Proxies (Liveproxies)
- Josh Schmidt (Linkedin)
- BPM – Assurance, Advisory, Tax & Wealth Management (Bpm)
