This week, Rep. Nancy Mace (R-S.C.) introduced legislation, the Federal Cybersecurity Vulnerability Reduction Act of 2023, which requires the government to amend the Federal Acquisition Regulation ("FAR") to add language for contractors to "implement a vulnerability disclosure policy consistent with NIST guidelines for contractors as required under section 5 of the IoT Cybersecurity Improvement Act of 2020."

The legislation states that the updates to the FAR should, to the maximum extent practicable:

• be aligned with the NIST guidelines and OMB implementation for contractors as required under sections 5 and 6 of the loT Cybersecurity Improvement Act of 2020;

• be aligned with industry best practices and Standards 29147 and 30111 of the International Standards Organization (or any successor standard) or any other appropriate, relevant, and widely-used standard; and

• shall not apply to contractors whose contracts are in amounts not greater than the simplified acquisition threshold.

Notably, the Act also requires similar amendments to the Defense Federal Acquisition Regulation Supplement ("DFARS") and includes – under both the FAR and DFARS – language regarding waivers. In that regard, to obtain a waiver, the legislation requires approval by the agency Chief Information Officer ("CIO"), provided that the CIO determines that the waiver "is necessary in the interest of national security or research purposes."

. . .

#govcon