A bipartisan legislation is seeking updates to the Federal Acquisition Regulation to require federal contractors to implement vulnerability disclosure policies.
U.S. Sen. Mark Warner, D-Va., vice chairman of the Senate Select Committee on Intelligence, said Friday that VDPs “are crucial tools to help ensure that the federal government is operating using safe cybersecurity practices.”
Warner introduced the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 with James Lankford, R-Okla., a member of the Senate Committee on Homeland Security and Governmental Affairs.
Civilian federal agencies are already required to have VDPs; however, the same requirement does not exist for federal contractors for the information systems used in fulfilling their contracts. Under the proposed bill, the contractors should adhere to National Institute of Standards and Technology guidelines and implement VDPs in line with those of the federal agencies to help reduce known security vulnerabilities, secure the entire supply chain and protect national security. The Office of Management and Budget would be required to oversee the FAR updates to ensure proper VDP implementation.
According to Lankford, increasing awareness of cyber vulnerabilities could help contractors and agencies keep data and systems safe from cybercrimes and hacking.
Sen. Warner’s Cyber-Focused Legislative Efforts
Warner authored the Internet of Things Cybersecurity Improvement Act, signed into law in 2020 by President Donald Trump, requiring IoT devices purchased with federal funds to meet minimum security standards. He also cofounded the bipartisan Senate Cybersecurity Caucus in 2016 and co-authored legislation mandating companies responsible for U.S. critical infrastructure to report cybersecurity incidents to the government.
