The proposed Federal Cybersecurity Vulnerability Reduction Act, introduced by Representative Nancy Mace (Republican, South Carolina First District), aims to extend vulnerability disclosure regulations to contractors. This update would require federal contractors to adhere to the same vulnerability disclosure requirements that federal agencies currently follow.
Representative Mace, who chairs the House Oversight and Accountability Committee’s cybersecurity, information technology, and government innovation subcommittee, believes that the Federal Cybersecurity Vulnerability Reduction Act is crucial to safeguarding the nation’s digital infrastructure. By mandating Vulnerability Disclosure Policies (VDP) for federal contractors, the act aims to enable contractors to promptly identify and address software vulnerabilities. This proactive approach to cybersecurity is expected to help contractors stay ahead of malicious actors, prevent potential exploits, and protect sensitive information.
The bill has received support from HackerOne, a leading vulnerability disclosure platform. HackerOne expressed its endorsement for the Federal Cybersecurity Vulnerability Reduction Act, emphasizing the importance of requiring VDPs for all federal contractors. If enacted, this legislation would significantly improve the overall cybersecurity posture of contractors working with federal agencies.
In a separate development, the US Consumer Financial Protection Bureau (CFPB) conducted an inquiry into the Fair Credit Reporting Act (FCRA) in March, and on August 15, Director Rohit Chopra announced plans to extend the FCRA to certain “data broker practices.” The CFPB intends to publish the new rules for public comment in 2024. In the meantime, a fact sheet has been released to provide an overview of the proposed changes.
The extension of the FCRA would have two main impacts. Firstly, data brokers that sell specific types of consumer information would be designated as “consumer reporting agencies” (CRAs) and would be required to comply with accuracy and dispute handling requirements. Secondly, the rules would clarify the definition of “credit header data” (such as name, date of birth, and Social Security number) as a “consumer report,” thereby providing greater protection against the disclosure of this data. Additionally, the updated rules address concerns surrounding the use of artificial intelligence and automated decision-making by data brokers. This aligns with recent efforts to more closely regulate these technologies at federal and state levels.
Moreover, the CFPB has stated that it will adopt a cross-sector approach to rulemaking for the FCRA. This means that the CFPB, together with other agencies such as the Federal Trade Commission, the Department of Transportation, and the Department of Agriculture, will enforce the updated rules across various sectors of the economy. This collaborative effort reflects the importance of protecting consumer information and ensuring compliance with the FCRA.
In response to the increasing frequency of cyberattacks targeting critical infrastructure, the US government has implemented a reward-and-punishment approach to enhance security. This approach involves utilizing both incentives and penalties to incentivize companies to prioritize cybersecurity measures. An example of the “stick” in this approach is the Cyber Incident Reporting for Critical Infrastructure Act, passed in 2022. This legislation imposes steep penalties on critical infrastructure companies that fail to report cyber incidents to the Cybersecurity and Infrastructure Security Agency. Underreporting of cybercrimes is a significant concern, with the FBI estimating that it only receives reports for a small fraction of all cyber incidents.
On the other hand, a noteworthy example of the “carrot” in this approach is a new cyber incentive framework established by the Federal Energy Regulatory Commission. Companies that make specific cybersecurity investments or participate in threat information-sharing programs are rewarded with access to an incentive-based rate recovery. This allows them to fund cybersecurity investments through increases in consumer electric bills. This program, falling under the Infrastructure Investment and Jobs Act, acknowledges the importance of including cybersecurity costs when determining customer rates.
Overall, the US government is taking proactive steps to strengthen the cybersecurity landscape. By extending vulnerability disclosure regulations to contractors, updating the FCRA, and implementing a reward-and-punishment approach for critical infrastructure security, policymakers aim to enhance the country’s resilience against cyber threats and protect sensitive information.