No ones happy with latest US cyber incident reporting plan The Register

p
Oh no youre thinking yet another cookie popup
Well sorry its the law We measure how many people read us
and ensure you see relevant ads by storing cookies on your device
If youre cool with that hit Accept all Cookies
For more info and to customize your settings hit
Customize Settings
pp
Heres an overview of our use of cookies similar technologies and
how to manage them
You can also change your choices at any time by hitting the
Your Consent Options link on the sites footer
pp
These cookies are strictly necessary so that you can navigate the site as normal and use all features Without these cookies we cannot provide you with the service that you expect
pp
These cookies are used to make advertising messages more relevant to you
They perform functions like preventing the same ad from continuously reappearing ensuring that ads are properly displayed for advertisers and in some cases selecting advertisements that are based on your interests
pp
These cookies collect information in aggregate form to help us understand how our websites are being used
They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites If people say no to these cookies we do not know how many people have visited and we cannot monitor performance
ppOrganizations that sell IT services to Uncle Sam are peeved at proposed changes to procurement rules that would require them to allow US government agencies full access to their systems in the event of a security incidentppThe rules were unveiled in a draft update to the Federal Acquisition Regulation FAR that refreshes security reporting standards for government contractors in line with President Bidens 2021 executive order on the topicppAmong the potential incoming requirements areppThe above ideas developed by Department of Defense DoD General Services Administration GSA and NASA have been suggested in light of the many infosec threats facing the USAppSolarWinds Microsoft Exchange and the Colonial Pipeline incident are a sobering reminder that US public and private sector entities increasingly face sophisticated malicious cyber activity from both nationstate actors and cyber criminals the update from the three agencies readsppThese incidents share commonalities including insufficient cyber security defenses that leave public and private sector entities more vulnerable to incidents the trio added This proposed rule underscores that the compliance with informationsharing and incidentreporting requirements are material to eligibility and payment under government contractsppWhile youd think rules to improve government security would be welcomed industry respondents arent happyppEven though they were first proposed in October of last year the comment period on the FAR reporting requirements has ended after being extended for two months With more than 80 responses its clear many stakeholders wanted to have their say and all the aforementioned provisions were questionedppThe Cloud Service Providers Advisory Board CSPAB which counts multiple major US cloud service firms among its members described the new rules as burdensome on information technology companies who are already meeting a high security and compliance bar across the federal marketplaceppThe CSPAB took particular umbrage with the FAR updates SBOM requirements arguing cloud service providers shouldnt be required to submit them since theyre so frequently subject to change sometimes up to hundreds of times per dayppThe Information Technology Industry Council ITIC which represents a laundry list of heavy hitters expressed dissatisfaction over the proposed reporting rules describing them as adding another hue of color to the kaleidoscope of incident reporting regimes being passed by the US federal government of lateppITIC said the eighthour reporting requirement was unduly burdensome and inconsistent with other reporting rules adding that the 72hour update period does not reflect the shifting urgency throughout an incident responseppEven bug bounty biz HackerOne weighed in arguing among other things that the provision requiring access to contractor systems by federal law enforcement in the wake of a security incident has the potential to expose data and information from the contractors nonfederal customersppNonfederal customers may be reluctant to continue working with federal contractors potentially forcing federal contractors to choose between selling to nonfederal customers or the government HackerOne warnedppTheres room to debate some of the complaints raised by commenters but one things for certain Uncle Sams cyber incident reporting rules are growing in number and each set of regulations is differentppThe Securities and Exchange Commission SEC implemented a rule last summer requiring victims to report cyberattacks to it within four days when the incident could have a material impact on the business or investors The Federal Trade Commission FTC followed suit in the fall with its own incident reporting rule giving nonbanking financial organizations 30 days to inform the commission of a successful breakin of their systemsppCISA meanwhile plans to follow suit with its own rules outlined by the Cyber Incident Reporting for Critical Infrastructure Act CIRCIA signed into law by President Biden in March 2022 with a twoyear deadline to propose a rule Due next month CIRCIA will give companies in critical infrastructure sectors three days to report an incidentppCongressional representatives have expressed discontent with the SECs reporting rules and introduced a bill to kill its reporting requirement citing too short a deadline and the fact that incident reporting should fall under CISAs purview The proposed FAR updates as mentioned give a mere eight hoursppAll of these various reporting requirements are likely to lead to what the ITIC describes as misalignment among reporting requirements with the council calling for the establishment of one authoritative incident reporting process across the federal government and regulated sectorsppSeveral incident reporting regimes are potentially suitable candidates ITIC EVP of public sector policy Gordon Bitko wrote in the orgs submission suggesting rules set by CIRCIA and the SEC as suitable alternativesppThe rule should identify one coordinating agency ideally CISA which should be the focal point for all reporting and subsequent investigations Bitko added echoing calls from other commenters and representative Andrew Garbarino RNY who introduced a House bill to kill the SECs reporting requirementsppWeve asked NASA the GSA and DoD for comment and have not received a response at the time of publication ppSend us newsppThe Register Biting the hand that feeds ITpp
Copyright All rights reserved 19982024

p