Improving Contractor Cybersecurity Act
The summary
What this bill does
Improving Contractor Cybersecurity Act
This bill prohibits an executive agency from entering into a contract for information technology unless the contractor maintains a vulnerability disclosure policy (VDP) and program.
The contractor must report to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security, within seven days after the VDP is published and on an ongoing basis as vulnerability reports are received, information regarding
- any valid or credible report of a not previously known public vulnerability on a system that uses commercial software or services that affect, or are likely to affect, other parties in government or industry once a patch or viable mitigation is available; and
- any other situation where the contractor determines it would be helpful or necessary to involve CISA.
CISA must submit vulnerabilities to the MITRE Common Vulnerabilities and Exposures database and the National Institute of Standards and Technology National Vulnerability Database.
Legislative timeline
From introduction
Feb 12, 2025
Introduced & referred to committee
Congressional support
Sponsors & Cosponsors
U.S. Representative - CA District 36 · D-CA
Roll-call vote
The vote, by member
The vote, by member
VERSION CHANGES
What changed,
and where.
Loading the bill text comparison.
Bill Metadata
| Congress | 119 |
| Bill Type | HR |
| Bill Number | 1258 |
| Origin Chamber | House |
| Current Status | Referred to the House Committee on Oversight and Government Reform. |
| Policy Area | Government Operations and Politics |
| Primary Committee | Not assigned |
| Introduced | February 12, 2025 |
| Latest Action | February 12, 2025 |
| Cosponsors | 0 · House vote — · — views |