WEBINAR ALERT : October 16th, 2025 - Managing the Risk in CM At-Risk
In a significant development that could reshape cybersecurity compliance for federal contractors, the U.S. House of Representatives passed the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 (H.R. 872) (“Act”). Approved by voice vote on May 8, the bill marks a significant step toward mandating formal Vulnerability Disclosure Policies (“VDPs”) for a wide swath of federal contractors. This includes those in the construction and infrastructure sectors.
Today’s connected project environments, from cloud-based design software to smart infrastructure technologies, are increasingly vulnerable to digital threats. We have written about the regulatory momentum behind stringent cybersecurity requirements for federal contracts in prior articles. Cybersecurity, which may not typically rank high among concerns for construction contractors, will soon become crucial for survival. This bill will impose new cybersecurity responsibilities far beyond traditional IT protocols.
The Federal Contractor Cybersecurity Vulnerability Reduction Act aims to close a longstanding gap in how federal cybersecurity protections are applied. At its core, the bill requires the Office of Management and Budget (“OMB”) to incorporate Vulnerability Disclosure Protocol requirements into contracts of $250,000 or more.
A VDP is an organization’s structured framework or process for receiving and reporting security vulnerabilities from external parties. Like ethical hackers, VDPs enable third-party cybersecurity researchers—“white-hat hackers”—to look for cyber vulnerabilities in an organization’s public-facing systems and disclose their discoveries to the organization. It is a way for organizations to proactively identify and address vulnerabilities before they can be exploited, fostering a transparent and efficient process for vulnerability identification, communication, and remediation.
The bill leans heavily on guidance from the National Institute of Standards and Technology (“NIST”), particularly its publication SP 800-216. NIST SP 800-216 offers a comprehensive framework for establishing VDPs. Contractors may soon find themselves required to align their internal cybersecurity practices with this federal standard, making early preparation crucial.
The OMB will coordinate with the Cybersecurity and Infrastructure Security Agency, the Department of Defense (“DOD”), and the Office of the National Cyber Director to establish guidelines and enforcement mechanisms. The DOD will issue companion requirements through updates to the Defense Federal Acquisition Regulation Supplement (“DFARS”).
Federal agencies are already required to maintain VDPs. However, contractors often access sensitive systems and data during a project and are not subject to a parallel obligation. This legislation changes that dynamic, bringing contractors under the same umbrella of cybersecurity scrutiny.
The Act, which originated in the House through sponsorship from Republican Representative Nancy Mace and Democratic Representative Shontel Brown, has attracted widespread political and industry support. Congresswoman Shontel Brown commented, “Cybersecurity isn’t optional, it’s essential. We need to make sure federal contractors follow national guidelines to protect digital infrastructure so that we can ensure our systems are secure. I’m proud that our bill to require Vulnerability Disclosure Policies for contractors passed the House … This is an important step toward better protecting sensitive data from malicious actors, and we’ll continue to build support for this important bill”.
The measure still awaits Senate approval, but all signs suggest it will progress with bipartisan momentum. The Senate version, introduced by Senators Mark Warner and James Lankford, mirrors the House bill and is currently under review by the Senate Committee on Homeland Security and Governmental Affairs.
Even for contractors who do not handle classified materials or operate traditionally in the IT space, those managing or interfacing with digital systems will be implicated. This includes cloud-based project management tools, building information modeling (“BIM”) platforms, and automated control systems embedded in smart buildings. Under the proposed law, your organization may need to build a formal, publicly accessible channel for “white-hat hackers” to report cyber vulnerabilities in your systems.
The timeline for implementation will depend on how quickly the Senate acts and how soon the relevant agencies finalize the rulemaking process. However, construction contractors would be well advised to start proactively assessing whether they need to establish VDPs to ensure compliance down the line. Contractors may want to signal to federal clients that their firm takes cybersecurity seriously.
Smith Currie Oles is tracking this legislation closely and will continue to provide updates as it progresses. We can assist clients in evaluating current practices, drafting VDPs, negotiating updated contract language, and ensuring full compliance with emerging federal cybersecurity mandates.
As the federal landscape evolves, we are here to help you navigate what may soon become a defining feature of federal procurement compliance.
Smith Currie Oles provides comprehensive legal services to all parts of the construction industry across the nation. Smith Currie lawyers have decades of demonstrated success representing construction and federal government contracting clients “From the Ground Up,” including procurement matters, contract formation and negotiation, project administration, claims prosecution and, when necessary, in litigation and other forms of dispute resolution.
The views expressed in this article are not necessarily those of ConsensusDocs. Readers should not take or refrain from taking any action based on any information without first seeking legal advice.