H.R. 872 (119th)Bill Overview

Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025

Government Operations and Politics|Computer security and identity theftGovernment information and archives
Cosponsors
Support
Republican
Introduced
Jan 31, 2025
Discussions
Bill Text
Current stageCommittee

Received in the Senate and Read twice and referred to the Committee on Homeland Security and Governmental Affairs.

Introduced
Committee
Floor
President
Law
Congressional Activities
01 · The brief
Plain-English summaryWhat this bill actually does

Requires OMB, in consultation with CISA, NIST, the National Cyber Director, and others, to review and recommend updates to FAR contract language so covered federal contractors adopt vulnerability disclosure policies consistent with NIST and IoT Cybersecurity Improvement Act guidance. Directs the FAR Council and the Department of Defense to update the FAR and DFARS respectively to incorporate those requirements, aligning with ISO 29147 and 30111 where practicable.

Why people may split

Progressives emphasize transparency and researcher protections; conservatives worry about regulatory burden.

Watch point

Relative to its intended legislative type, this bill establishes a clear substantive policy change by directing executive entities to create and incorporate contractor vulnerability disclosure requirements into procurement regulations, and it provides a concrete administrative pathway (responsible agencies and deadlines) and statutory cross-references.

Requires OMB, in consultation with CISA, NIST, the National Cyber Director, and others, to review and recommend updates to FAR contract language so covered federal contractors adopt vulnerability disclosure policies consistent with NIST and IoT Cybersecurity Improvement Act guidance.

Directs the FAR Council and the Department of Defense to update the FAR and DFARS respectively to incorporate those requirements, aligning with ISO 29147 and 30111 where practicable.

Allows agency and DoD CIO waivers for national security or research reasons with notifications to relevant congressional committees.

Passage55/100

Text is narrow, technical, and non-controversial with limited fiscal impact, improving chances; final outcome depends on Senate action and executive signing.

CredibilityPartially aligned

Relative to its intended legislative type, this bill establishes a clear substantive policy change by directing executive entities to create and incorporate contractor vulnerability disclosure requirements into procurement regulations, and it provides a concrete administrative pathway (responsible agencies and deadlines) and statutory cross-references. It leaves implementation specifics to subsequent rulemaking and does not include funding, enforcement, or comprehensive compliance metrics.

Contention55/100

Progressives emphasize transparency and researcher protections; conservatives worry about regulatory burden.

02 · What it does

Who stands to gain, and who may push back.

Likely benefits vs burdens50% / 50%
Federal agenciesFederal agencies

These are examples from the analysis, not a ranked list of the most-affected groups.

Likely helped
  • Federal agenciesIncreased reporting and remediation of security vulnerabilities in contractor-controlled systems, improving federal sys…
  • Federal agenciesHarmonization with NIST and ISO standards creates consistent requirements across federal contracts and industry.
  • Potential benefitLowered breach risk which may reduce incident response and recovery costs for agencies.
Likely burdened
  • Potential burdenNew FAR and DFARS clauses will impose additional compliance costs on contractors, affecting contract pricing.
  • Potential burdenSmaller contractors may face disproportionate administrative and technical burdens meeting disclosure policy requiremen…
  • Federal agenciesAgency waiver authority for national security could limit public disclosure and reduce transparency.
03 · Why people split

Why the argument around this bill splits.

Progressives emphasize transparency and researcher protections; conservatives worry about regulatory burden.
Progressive80%

Likely supportive overall because the bill strengthens contractor cybersecurity and aligns with NIST and industry standards.

Would welcome improved coordinated disclosure but want stronger researcher protections and limits on waiver use.

May press for enforcement, resourcing, and transparency on waiver justifications.

Leans supportive
Centrist70%

Sees the bill as a practical, technical update to procurement rules to reduce cyber risk.

Generally favorable but cautious about implementation timing, compliance costs, and clarity for small contractors.

Would seek phased implementation and clear guidance to minimize unintended burdens.

Leans supportive
Conservative40%

Skeptical of new federal mandates that expand procurement compliance obligations.

Concerns focus on regulatory burden, costs to contractors, and possible exposure of vulnerabilities.

The national-security waiver is a needed safeguard but may not fully mitigate risks of mandated disclosure processes.

Split reaction
04 · Can it pass?

The path through Congress.

Introduced

Reached or meaningfully advanced

Committee

Reached or meaningfully advanced

Floor

Still ahead

President

Still ahead

Law

Still ahead

Passage likelihood55/100

Text is narrow, technical, and non-controversial with limited fiscal impact, improving chances; final outcome depends on Senate action and executive signing.

Scope and complexity
24%
Scopenarrow
52%
Complexitymedium
Why this could stall
  • No cost estimate or agency workload assessment in text
  • Potential industry objections over compliance burdens
05 · Recent votes

Recent votes on the bill.

No vote history yet

The bill has not accumulated any surfaced votes yet.

06 · Go deeper

Go deeper than the headline read.

Included on this page

Progressives emphasize transparency and researcher protections; conservatives worry about regulatory burden.

Text is narrow, technical, and non-controversial with limited fiscal impact, improving chances; final outcome depends on Senate action and…

Unlocked analysis

Relative to its intended legislative type, this bill establishes a clear substantive policy change by directing executive entities to create and incorporate contractor vulnerability disclosure requirements into procurem…

Go beyond the headline summary with full stakeholder mapping, legislative design analysis, passage barriers, and lens-by-lens tradeoff breakdowns.

Perspective breakdownsPassage barriersLegislative design reviewStakeholder impact map
Open full analysis