HR 872: Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025
HR 872 in plain English: This bill requires updates to federal acquisition regulations to strengthen cybersecurity vulnerability disclosure requirements for federal contractors with contracts at or above $250,000 or those managing federal information systems. It directs the Office of Management and Budget to review and recommend updated contract language for vulnerability disclosure programs, and requires the Federal Acquisition Regulation Council and the Department of Defense to update their regulations accordingly.
Stated purpose
To require certain federal contractors to set up formal programs for receiving and acting on reports of cybersecurity vulnerabilities in their systems, consistent with standards set by the National Institute of Standards and Technology.
Key points
- Applies to federal contractors with contracts at or above $250,000 or those operating federal information systems
- Requires OMB to recommend updated FAR contract language for contractor vulnerability disclosure programs
- Mandates contractor vulnerability disclosure policies align with National Institute of Standards and Technology guidelines
- Requires DOD to conduct a parallel review and update of its own acquisition regulations
Arguments supporters make
- Government contractors handling sensitive federal systems often lack clear processes for receiving vulnerability reports, leaving security gaps that this bill would close
- Aligning contractor cybersecurity practices with established NIST guidelines and international standards creates consistency and raises the overall security baseline for federal IT
- Requiring contractors to have these programs helps protect taxpayer-funded systems and sensitive government data from cyberattacks before they cause serious harm
Arguments opponents make
- Smaller contractors just above the $250,000 threshold may face significant compliance costs and administrative burden to build and maintain formal vulnerability disclosure programs
- Adding new regulatory layers to the Federal Acquisition Regulation could slow down contracting and discourage some businesses from competing for government work
- Waiver provisions that allow agencies to bypass these requirements for national security or research reasons could weaken the policy if used broadly or without sufficient oversight
Tradeoffs
Stronger cybersecurity protections for federal information systems come at the cost of increased compliance requirements and potential overhead for contractors, particularly smaller firms; the bill also balances a uniform national standard against agency flexibility through its waiver provisions.
Current status in Congress: Passed House.