Improving Contractor Cybersecurity Act

House Bill

H.R. 1258

119th Congress

Improving Contractor Cybersecurity Act

In Committee

Introduced:Feb 12, 2025

Primary Sponsor

Chellie Pingree

Representative

Democratic

ME-1

Cosponsors

0

Quick Stats

Policy Area

Government Operations and Politics

Summary

This bill requires federal IT contractors to maintain vulnerability disclosure programs (VDPs). Contractors must report newly discovered software vulnerabilities to CISA within seven days, especially those affecting government or industry systems. CISA submits vulnerabilities to the MITRE CVE database and NIST National Vulnerability Database. This strengthens cybersecurity across federal contractor systems.

Latest Action

Referred to the House Committee on Oversight and Government Reform.

AI Summary

Plain-English explanation of this bill

This bill requires federal IT contractors to maintain vulnerability disclosure programs (VDPs). Contractors must report newly discovered software vulnerabilities to CISA within seven days, especially those affecting government or industry systems. CISA submits vulnerabilities to the MITRE CVE database and NIST National Vulnerability Database. This strengthens cybersecurity across federal contractor systems.

Last updated: 12/30/2025

Official Summary

Congressional Research Service summary

Improving Contractor Cybersecurity ActThis bill prohibits an executive agency from entering into a contract for information technology unless the contractor maintains a vulnerability disclosure policy (VDP) and program.The contractor must report to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security, within seven days after the VDP is published and on an ongoing basis as vulnerability reports are received, information regarding<ul><li>any valid or credible report of a not previously known public vulnerability on a system that uses commercial software or services that affect, or are likely to affect, other parties in government or industry once a patch or viable mitigation is available; and</li><li>any other situation where the contractor determines it would be helpful or necessary to involve CISA.</li></ul>CISA must submit vulnerabilities to the MITRE Common Vulnerabilities and Exposures database and the National Institute of Standards and Technology National Vulnerability Database.

Key Points

Main provisions of the bill

Requires federal IT contractors to have vulnerability disclosure programs
Contractors report vulnerabilities to CISA within 7 days
Covers previously unknown software vulnerabilities
CISA submits findings to CVE and NVD databases
Applies to contracts involving commercial software/services
Improves coordinated vulnerability disclosure across government

How This Impacts Americans

Potential effects on citizens and communities

Federal contractors handle sensitive government data and systems, making their cybersecurity critical. This bill ensures contractors actively identify and disclose vulnerabilities rather than hiding them. The reporting requirements and database submissions help the broader cybersecurity community address threats. While adding compliance requirements for contractors, the bill strengthens the overall security posture of federal IT systems and promotes responsible vulnerability disclosure practices.

Policy Areas

Primary Policy Area

Government Operations and Politics

Related Subjects

Computers and information technology

Government information and archives

Public contracts and procurement

Scope & Jurisdiction

Jurisdiction Level

federal

Congressional Session

119th Congress

Citation Reference

1258, 119th Congress (2025). "Improving Contractor Cybersecurity Act". Source: Voter's Right Platform. https://votersright.org/bills/118-hr-1258