By Kenny R. Cantrell, III, Ashley P. Cullinan, and Sean Farrell of Smith Currie Oles LLP
Originally published August 27, 2025
In a significant development that could reshape cybersecurity compliance for federal contractors, the U.S. House of Representatives passed the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 (H.R. 872) (Act). Approved by voice vote on May 8, the bill marks a significant step toward mandating formal Vulnerability Disclosure Policies (VDPs) for a wide swath of federal contractors. This includes those in the construction and infrastructure sectors.
Today’s connected project environments, from cloud-based design software to smart infrastructure technologies, are increasingly vulnerable to digital threats. We have written about the regulatory momentum behind stringent cybersecurity requirements for federal contracts in prior articles. Cybersecurity, which may not typically rank high among concerns for construction contractors, will soon become crucial for survival. This bill will impose new cybersecurity responsibilities far beyond traditional IT protocols.
The Federal Contractor Cybersecurity Vulnerability Reduction Act aims to close a longstanding gap in how federal cybersecurity protections are applied. At its core, the bill requires the Office of Management and Budget (OMB) to incorporate Vulnerability Disclosure Protocol requirements into contracts of $250,000 or more.
A VDP is an organization’s structured framework or process for receiving and reporting security vulnerabilities from external parties. Like ethical hackers, VDPs enable third-party cybersecurity researchers—“white-hat hackers”—to look for cyber vulnerabilities in an organization’s public-facing systems and disclose their discoveries to the organization. It is a way for organizations to proactively identify and address vulnerabilities before they can be exploited, fostering a transparent and efficient process for vulnerability identification, communication, and remediation.
The bill leans heavily on guidance from the National Institute of Standards and Technology (NIST), particularly its publication SP 800-216. NIST SP 800-216 offers a comprehensive framework for establishing VDPs. Contractors may soon find themselves required to align their internal cybersecurity practices with this federal standard, making early preparation crucial.
The OMB will coordinate with the Cybersecurity and Infrastructure Security Agency, the Department of
Defense (DOD), and the Office of the National Cyber Director to establish guidelines and enforcement mechanisms. The DOD will issue companion requirements through updates to the Defense Federal Acquisition Regulation Supplement (DFARS).
Federal agencies are already required to maintain VDPs. However, contractors often access sensitive systems and data during a project and are not subject to a parallel obligation. This legislation changes that dynamic, bringing contractors under the same umbrella of cybersecurity scrutiny.
The Act, which originated in the House through sponsorship from Republican Representative Nancy Mace and Democratic Representative Shontel Brown, has attracted widespread political and industry support. Congresswoman Shontel Brown commented, “Cybersecurity isn’t optional, it’s essential. We need to make sure federal contractors follow national guidelines to protect digital infrastructure so that we can ensure our systems are secure. I’m proud that our bill to require Vulnerability Disclosure Policies for contractors passed the House … This is an important step toward better protecting sensitive data from malicious actors, and we’ll continue to build support for this important bill.”
The measure still awaits Senate approval, but all signs suggest it will progress with bipartisan momentum. The Senate version, introduced by Senators Mark Warner and James Lankford, mirrors the House bill and is currently under review by the Senate Committee on Homeland Security and Governmental Affairs.
Even for contractors who do not handle classified materials or operate traditionally in the IT space, those managing or interfacing with digital systems will be implicated. This includes cloud-based project management tools, building information modeling (“BIM”) platforms, and automated control systems embedded in smart buildings. Under the proposed law, your organization may need to build a formal, publicly accessible channel for “white-hat hackers” to report cyber vulnerabilities in your systems.
The timeline for implementation will depend on how quickly the Senate acts and how soon the relevant agencies finalize the rulemaking process. However, construction contractors would be well advised to start proactively assessing whether they need to establish VDPs to ensure compliance down the line. Contractors may want to signal to federal clients that their firm takes cybersecurity seriously.
Smith Currie Oles is tracking this legislation closely and will continue to provide updates as it progresses.
Kenny R. Cantrell, III is an Associate with Smith Currie Oles LLP. He represents owners, general contractors, subcontractors, architects, engineers, and suppliers in disputes and also advises them on a variety of issues. He can be reached at krcantrell@smithcurrie.com or 404.582.8066.
Ashley P. Cullinan is an Associate with Smith Currie Oles LLP. She represents owners, contractors, subcontractors, sureties, and design professionals in contract drafting and negotiation and dispute resolution. She can be reached at apcullinan@smithcurrie.com or 703.223.9229.
Sean Farrell is an Associate with Smith Currie Oles LLP. He represents contractors, subcontractors, and other construction industry professionals in a wide variety of legal matters. He can be reached at spfarrell@smithcurrie.com or 404.582.8063.
Get Important Surety Industry News & Info
Keep up with the latest industry news and NASBP programs, events, and activities by subscribing to NASBP SmartBrief.
