This bill aims to enhance federal cybersecurity by requiring federal contractors to implement robust vulnerability disclosure policies. Within 180 days of enactment, the Office of Management and Budget, in consultation with key cybersecurity agencies, must review and recommend updates to the Federal Acquisition Regulation (FAR) to incorporate these new requirements. These recommendations are specifically designed to ensure that contractors' policies align with National Institute of Standards and Technology (NIST) guidelines , referencing existing standards from the IoT Cybersecurity Improvement Act of 2020. Following these recommendations, the Federal Acquisition Regulation Council is mandated to amend the FAR within 180 days to include provisions for covered contractors. These provisions will require contractors to actively solicit and address information regarding potential security vulnerabilities in any information system they own or control that is used in the performance of a federal contract. The updated FAR must also align with industry best practices and international standards, such as ISO Standards 29147 and 30111, to the maximum extent practicable. An agency head may waive this vulnerability disclosure policy requirement if the agency's Chief Information Officer determines it is necessary for national security or research purposes, provided Congress is notified within 30 days. A covered contractor is defined as one with a contract at or above the simplified acquisition threshold, or one that uses, operates, manages, or maintains a Federal information system on behalf of an agency. The bill specifies that no additional funds are authorized for its implementation.