US-CONGRESS HR872: Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025
HR872, the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025, has been received in the Senate and referred to committee. This bill would require federal contractors to implement specific cybersecurity vulnerability disclosure and remediation programs, likely aligning with NIST SP 800-171 and CMMC standards. It introduces new compliance clauses for FAR and DFARS, impacting all businesses with federal contracts, especially small businesses and set-asides.
Aforeworn detected this change in the Government Contracting (SAM/FAR) space on July 14, 2026 and published this briefing so affected operators are forewarned rather than caught off guard. It is rated High urgency. All federal contractors, including small business set-asides, defense contractors, GSA schedule holders, and federal grant recipients. should confirm how it applies to their specific situation before acting. There is a time constraint attached: Unknown; bill is in early stages. However, proactive compliance is advised as passage could lead to rapid implementation within 6-12 months.. Acting after that point can mean penalties, a lapsed licence, or lost eligibility — exactly the kind of surprise Aforeworn exists to prevent. Aforeworn monitors Government Contracting (SAM/FAR) continuously and turns every detected change into a plain-English briefing like this one, so you always know first. Forewarned is forearmed.
What changed
New legislative requirement for contractors to establish and maintain a cybersecurity vulnerability disclosure and remediation program, with potential incorporation into FAR/DFARS clauses.
Who it affects
All federal contractors, including small business set-asides, defense contractors, GSA schedule holders, and federal grant recipients.
What you must do
Monitor bill progress; begin reviewing current cybersecurity practices against NIST SP 800-171 and CMMC requirements; prepare to implement a vulnerability disclosure program.
Deadline
Unknown; bill is in early stages. However, proactive compliance is advised as passage could lead to rapid implementation within 6-12 months.
Source: https://www.congress.gov/bill/119th-congress/house-bill/872
Never miss a change like this again
Aforeworn watches Government Contracting (SAM/FAR) around the clock and alerts you the moment a rule moves — with a plain-English brief on what to do.
Start your free trialRelated changes in Government Contracting (SAM/FAR)
- Pentagon suspends CMMC Phase II requirements. - N2K CyberWire
- DoW Suspends CMMC Phase II — NIST SP 800-171 Self-Assessment Becomes the Interim Standard, With Rising False Claims Act Exposure - Hunton Andrews Kurth LLP
- Department of War suspends CMMC Phase II, launches 60-day review to reduce compliance burden on defense contractors - Industrial Cyber
- Proposed Rule to Centralize the Federal Grant Process and Give Political Appointees More Power Over Awards - The National Law Review
- Department of War Immediately Suspends CMMC Phase II Requirements, Launches 60-Day Reform Review - Crowell & Moring LLP