The Improving Contractor Cybersecurity Act: A Proactive Approach to Securing Federal Networks
The potential impacts of the SolarWinds breach on public and private sector stakeholders have been the subjects of major research publications and media coverage since December 2020. However, SolarWinds was just the most recent in a long line of infamous cybersecurity breaches ranging from OPM to Equifax, all of which resulted from an adversary’s lateral compromise through the vendor supply chain. The Improving Contractor Cybersecurity Act of 2021 proposed by Representative Ted Lieu aims to require contractors to assume greater proactive responsibility in securing the solutions they deliver to executive agencies. Rep. Lieu’s proposed legislation would introduce transparency, accountability, and market incentive into the federal information technology acquisition process. H.R. 2236 excels at detailing an external vulnerability disclosure process and includes essential privacy protections (such as the option to report anonymously), indemnity clauses for researchers, and accessibility features (i.e., website reporting). ICIT believes the bill a monumental step in the direction of national supply chain security reform because it institutes an onus of responsibility on federal contractors to secure the solutions they serve to executive agencies.