Seeking to strengthen the cybersecurity posture of companies that do business with the federal government, Rep. Ted Lieu (D-Calif.) this week introduced a bill requiring government contractors to create programs that allow friendly hackers to probe for vulnerabilities on their networks so that security gaps can be mended.
“I have long been a supporter of vulnerability disclosure policies and programs (VDPs) in both the federal government and private sector,” Lieu said in a statement on Tuesday. “They allow security researchers to find software vulnerabilities and notify owners before they can be exploited by bad actors.”
Lieu said the Improving Contractor Cybersecurity Act is based on a Department of Homeland Security directive to federal civilian agencies in 2020 requiring agencies to develop and publish VDPs. He also highlighted that his bill stems from President Joe Biden’s recent cybersecurity executive order that would strengthen the software supply chain security of the government by, among other provisions, consider directing contractors to have VDPs.
“There is no reason government contractors shouldn’t also be asked to maintain vulnerability disclosure policies, given the complex web of third-party vendors on which the United States relies,” he said. “I am pleased the Biden administration also recognizes this need, and mentioned VDPs in its recent executive order as one way to shore up federal cybersecurity.”