This bill, titled the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025, aims to enhance cybersecurity by requiring federal contractors to adopt robust vulnerability disclosure policies. It directs the Office of Management and Budget (OMB), in consultation with key cybersecurity agencies like CISA and NIST, to review and recommend updates to the Federal Acquisition Regulation (FAR) contract language. These recommendations are designed to ensure that covered contractors implement vulnerability disclosure policies consistent with NIST guidelines, specifically referencing requirements from the IoT Cybersecurity Improvement Act of 2020. Following these recommendations, the Federal Acquisition Regulation Council must update the FAR to incorporate requirements for contractors to receive and address information about potential security vulnerabilities in their information systems used for contract performance. These updates must align with industry best practices and international standards, such as ISO 29147 and 30111, to the maximum extent practicable. A waiver provision allows agency Chief Information Officers to forgo these requirements in the interest of national security or research purposes , provided they submit a notification and justification to relevant congressional committees within 30 days. Separately, the Secretary of Defense is mandated to review and revise the Department of Defense Supplement to the FAR (DFARS) to ensure similar vulnerability disclosure policies are implemented by DoD contractors, also consistent with NIST guidelines. The DoD's revisions must adhere to the same elements as the FAR updates, including alignment with industry standards. The DoD Chief Information Officer, in consultation with the National Manager for National Security Systems, can also waive these DFARS requirements for national security or research, with similar reporting obligations to the House and Senate Armed Services Committees.