This bill, known as the Improving Contractor Cybersecurity Act , mandates that executive agencies cannot enter into contracts for information technology unless the contractor maintains a comprehensive vulnerability disclosure policy and program. This policy must clearly define the scope of systems, permissible testing activities, and strict guidelines for handling sensitive information discovered during vulnerability research. It also requires a commitment from contractors not to pursue civil action against individuals who report vulnerabilities in good faith and to support them if sued by third parties. The required policy must detail how individuals can submit vulnerability reports, including location, necessary technical information, and the option for anonymous reporting. Contractors must also provide a public website page for vulnerability submissions, contact information for review teams, and a description of their review process, including potential monetary rewards. Furthermore, contractors are required to report any valid or credible, previously unknown public vulnerabilities to the Cybersecurity and Infrastructure Security Agency (CISA) , which will then communicate these to databases like MITRE Common Vulnerabilities and Exposures and the National Institute of Standards and Technology National Vulnerability Database. These requirements apply to all contracts entered into on or after the bill's enactment date.