Rep. Ted Lieu, D-Ca., introduced a bill on June 1 that looks to improve the cybersecurity infrastructure of government contractors, his office announced.
The Improving Contractor Cybersecurity Act would require any vendor looking to do business with the Federal government to have vulnerability disclosure policies (VDP) in place.
“The Department of Homeland Security already requires federal agencies to maintain VDPs because leaders in government recognize VDPs are one of our best chances at stopping cyberattacks before they happen. There is no reason government contractors shouldn’t also be asked to maintain vulnerability disclosure policies, given the complex web of third-party vendors on which the United States relies,” Rep. Lieu said in the release.
The bill comes in response to the various attacks on critical infrastructure that have recently come to light, with a ransomware attack on meat supplier JBS USA making the news this week. The full text of the bill has not yet been released, but the legislation has already garnered support from a variety of cybersecurity industry organizations and former Federal officials.
Among that list of former officials is Christopher Painter, the former State Department coordinator on Cyber Issues and senior director for Cyber Policy on President Obama’s National Security Council, and Paul Rosenzweig, a former DHS deputy assistant for Policy under President George W. Bush.
“Vulnerability discovery and responsible disclosure of the kind championed by this bill is a foundational part of a more secure cyber ecosystem and helping to prevent malicious actors’ exploiting our government and private sector systems,” Painter said in the release.
Rosenzweig similarly championed the bill and called on Congress to bring it up for “careful and prompt” consideration.
“Representative Lieu’s bill on vulnerability disclosure programs for contractors is a commonsense expansion of an important concept that is already used inside the government. It is the first, significant step in an important discussion whose timeliness is made apparent by recent breaches that appear to have compromised critical government IT systems,” Rosenzweig said in the same release.