HR 872: Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025

HR 872 in plain English: This bill requires updates to federal acquisition regulations to strengthen cybersecurity vulnerability disclosure requirements for federal contractors with contracts at or above $250,000 or those managing federal information systems. It directs the Office of Management and Budget to review and recommend updated contract language for vulnerability disclosure programs, and requires the Federal Acquisition Regulation Council and the Department of Defense to update their regulations accordingly.

Stated purpose

To require certain federal contractors to set up formal programs for receiving and acting on reports of cybersecurity vulnerabilities in their systems, consistent with standards set by the National Institute of Standards and Technology.

Key points

Arguments supporters make

Arguments opponents make

Tradeoffs

Stronger cybersecurity protections for federal information systems come at the cost of increased compliance requirements and potential overhead for contractors, particularly smaller firms; the bill also balances a uniform national standard against agency flexibility through its waiver provisions.

Current status in Congress: Passed House.