H.R. 3608 · 117th Congress · House

Improving Contractor Cybersecurity Act

Active· Referred to the House Committee on Oversight and Reform.
Introduced
May 28, 21
Passed House
Pending
Passed Senate
Pending
Sent to President
Pending
Signed into Law
Pending

Executive Summary

Improving Contractor Cybersecurity Act

This bill prohibits an executive agency from entering into a contract for information technology unless the contractor maintains a vulnerability disclosure policy (VDP) and program.

The contractor must report to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security, within seven days after the VDP is published, information regarding

  • any valid or credible report of a not previously known public vulnerability on a system that uses commercial software or services that affect, or are likely to affect, other parties in government or industry once a patch or viable mitigation is available; and
  • any other situation where the contractor determines it would be helpful or necessary to involve CISA.

CISA must submit vulnerabilities to the MITRE Common Vulnerabilities and Exposures database and the National Institute of Standards and Technology National Vulnerability Database.

Action Timeline

3
  1. MAY 28, 2021IntroReferral

    Introduced in House

  2. MAY 28, 2021IntroReferral

    Introduced in House

  3. MAY 28, 2021IntroReferral

    Referred to the House Committee on Oversight and Reform.

Committees

1

Oversight and Government Reform Committee

hsgo00

Referred: May 28, 2021

Active