Some federal contractors have treated cybersecurity like a locked door. If no one can report a vulnerability, it’s not a problem, right? The U.S. House of Representatives disagrees. Last month, the House took a significant step toward strengthening the cybersecurity of all federal contractors and passed a critical bill involving Vulnerability Disclosure Policy (VDP).
The Federal Contractor Cybersecurity Vulnerability Reduction Act, first introduced in 2023, would require all federal contractors to implement a VDP consistent with National Institute of Standards and Technology (NIST) guidelines to qualify for government contracts. This move could change how security risks are handled in government supply chains. Previously, all federal agencies were required to adopt VDPs in March 2021 as part of BOD 20-01.
A VDP is a formal and legal process that allows researchers to conduct good-faith testing and to report security vulnerabilities discovered from publicly accessible, internet-facing assets to an organization. Establishing a VDP is a critical step organizations can take to proactively identify and address security flaws before malicious hackers can exploit them.
Why Does This Matter?
Federal contractors are essential to government operations, but their access to sensitive data creates substantial risks to both the contractors themselves and national security.
With over 11 million contracts awarded annually, the sheer volume of information shared with external entities is staggering. From personally identifiable information (PII) and intellectual property (IP) to classified information, the potential consequences of a data breach are severe, ranging from financial loss to reputational damage and even threats to national security.
Last year, the United States Department of State announced a $200 million settlement with defense contractor RTX. The contractor had voluntarily disclosed 750 violations between August 2017 and September 2023. In one incident, an employee had been traveling abroad in St. Petersburg, Russia, with an RTX-issued laptop. While there, the employee received various alerts on his computer. While he notified the cybersecurity team, they were incorrectly labeled as false positives, likely as a result of a new tool.
If passed by the U.S. Senate, which is likely, and signed into law, this bill would bring much-needed transparency to federal cybersecurity practices and further protect the information of American citizens. Regardless of the outcome, VDPs are often viewed as a basic layer of security infrastructure, granting organizations the ability to cast a wider net and utilize the broader researcher community as part of good-faith cybersecurity.
Federal Contractors: You Need the Right VDP
Unfortunately, a Vulnerability Disclosure Program can be an administrative burden. In essence, anyone can report a vulnerability regardless of its criticality. This can create a lot of excess noise and duplications that an already stressed security team doesn’t have time to sift through.
Synack’s Penetration Testing a Service (PTaaS) platform is the only FedRAMP Moderate Authorized security testing provider available, offering point-in-time and continuous penetration testing on-demand with attack surface discovery, vulnerability management and real-time analytics.
With Synack’s Managed VDP, we handle the program for you. Our approach applies thorough triage and analysis to every submission and ensures it is handled promptly and professionally. This allows security teams to prioritize what needs to be addressed and patched.
To learn more about Synack’s Managed VDP offering and our offensive penetration testing capabilities, request a demo.
