Proposed contractor cyber reporting rule sets a significantly problematic bar industry groups say NextgovFCW
p
Maria KorneevaGetty Images
ppppStay Connectedpp
By
David DiMolfetta
ppCybersecurity and technology trade groups are urging agencies to rethink a proposed measure that would intensify requirements for federal contractors when they report cybersecurity incidents arguing they are inconsistent with other cyber regulations and demand too much from contracted firms targeted in cyberattacksppThe proposed rule from the Pentagon GSA and NASA the agency trio that jointly issues policy measures tied to the Federal Acquisition Regulation would among other things require contractors to develop a Software Bill of Materials or SBOM for all software used when performing contracting tasks as well as notify the Department of Homeland Security of a security incident within eight hours of its discoveryppThe agencies proposed the statute in October and interested parties were later granted a twomonth extension to provide feedback with the window for new comments closing on Friday The proposal which would amend FAR was justified under a May 2021 executive order signed by President Joe Biden aimed at shoring up the nations cybersecurity posture as well as contracting directives outlined in the National Cyber Strategy released last yearppRecent cybersecurity incidents such as those involving SolarWinds Microsoft Exchange and the Colonial Pipeline incident are a sobering reminder that US public and private sector entities increasingly face sophisticated malicious cyber activity from both nationstate actors and cyber criminals the proposal saysppChief among industry group complaints is language that would grant DHSs Cybersecurity and Infrastructure Security Agency and the FBI complete access to contractors information systems and personnel when responding to a cyber incidentppPolicymakers should engage directly with industry before moving ahead with this significantly problematic provision the Chamber of Commerce said in comments arguing that such access is an unprecedented stance that amounts to a privacy violationppThe Alliance for Digital Innovation which jointly submitted remarks with the Cybersecurity Coalition argued that the government may inadvertently gain access to nonfederal customers of an impacted contractor under the current proposalppTheres really no bar or threshold for when that access would be allowed or scope for what the access would entail both of which are really big concerns Grant Schneider an ADI senior advisor said in a phone interview adding that the agencies should instead consider taming the proposal to require contractors to open up only certain systems to federal investigators if they choose to not be forthcoming in cyber incident disclosuresppOthers have complained about the proposals SBOM demands contending they are not aligned with other federal software regulationsppSBOMs or itemized lists of components that make up software products have been widely viewed as a helpful tool in advancing software security by enabling organizations to identify potential exposures in their technology But some argue that requiring SBOMs is cumbersome because various regulations have defined their scope differently Lawmakers notably excluded a federal contractor SBOM measure from a mustpass defense policy bill in 2022 ppMost contractors do not create their own software and instead use commercial offtheshelf products for which SBOMs might not be readily available and may need to be generated specifically for the contractor and government transactions said a comment filed by Anderw Howell of the Operational Technology Cybersecurity Coalition a group representing industrial control systems vendorsppThe OTCC comments add that a separate SBOM memorandum from the Office of Management and Budget does not match that of the proposed rule arguing that such a dynamic would give contractors a headache The OMB memo lists SBOMs as an optional entity that can be provided upon request while the contractor directive requires SBOMs be listed for all software used in a contracting job regardless of a cybersecurity incidentppThe proposal also establishes an eight hour time window for contractors to report cyber incidents to CISA after their discovery a requirement that commenters have deemed too rigorous as it would not be enough time for companies to gather up resources and officially confirm a hackppYou want time for forensics teams for your inhouse folks to be able to actually look at data and find out what really happened Schneider said noting that in some cases firms may determine such incidents are falsely labeled cyberattacks And you need to then run that through the management chain and the leadership chainppNASA and our federal partners will review the comments received to inform next steps in the federal rulemaking process Jennifer Dooren a NASA spokesperson told NextgovFCWppDOD and our partners would like to thank all the companies who took the time to provide comments We are working our way through the adjudication process and will move on to the next step soon a Pentagon spokesperson told NextgovFCW in a statementppEditors note This article has been updated to include a statement from the DOD
pp
NEXT STORY
State Department to levy visa restrictions on spyware abusers
ppHelp us tailor content specifically for youp
Maria KorneevaGetty Images
ppppStay Connectedpp
By
David DiMolfetta
ppCybersecurity and technology trade groups are urging agencies to rethink a proposed measure that would intensify requirements for federal contractors when they report cybersecurity incidents arguing they are inconsistent with other cyber regulations and demand too much from contracted firms targeted in cyberattacksppThe proposed rule from the Pentagon GSA and NASA the agency trio that jointly issues policy measures tied to the Federal Acquisition Regulation would among other things require contractors to develop a Software Bill of Materials or SBOM for all software used when performing contracting tasks as well as notify the Department of Homeland Security of a security incident within eight hours of its discoveryppThe agencies proposed the statute in October and interested parties were later granted a twomonth extension to provide feedback with the window for new comments closing on Friday The proposal which would amend FAR was justified under a May 2021 executive order signed by President Joe Biden aimed at shoring up the nations cybersecurity posture as well as contracting directives outlined in the National Cyber Strategy released last yearppRecent cybersecurity incidents such as those involving SolarWinds Microsoft Exchange and the Colonial Pipeline incident are a sobering reminder that US public and private sector entities increasingly face sophisticated malicious cyber activity from both nationstate actors and cyber criminals the proposal saysppChief among industry group complaints is language that would grant DHSs Cybersecurity and Infrastructure Security Agency and the FBI complete access to contractors information systems and personnel when responding to a cyber incidentppPolicymakers should engage directly with industry before moving ahead with this significantly problematic provision the Chamber of Commerce said in comments arguing that such access is an unprecedented stance that amounts to a privacy violationppThe Alliance for Digital Innovation which jointly submitted remarks with the Cybersecurity Coalition argued that the government may inadvertently gain access to nonfederal customers of an impacted contractor under the current proposalppTheres really no bar or threshold for when that access would be allowed or scope for what the access would entail both of which are really big concerns Grant Schneider an ADI senior advisor said in a phone interview adding that the agencies should instead consider taming the proposal to require contractors to open up only certain systems to federal investigators if they choose to not be forthcoming in cyber incident disclosuresppOthers have complained about the proposals SBOM demands contending they are not aligned with other federal software regulationsppSBOMs or itemized lists of components that make up software products have been widely viewed as a helpful tool in advancing software security by enabling organizations to identify potential exposures in their technology But some argue that requiring SBOMs is cumbersome because various regulations have defined their scope differently Lawmakers notably excluded a federal contractor SBOM measure from a mustpass defense policy bill in 2022 ppMost contractors do not create their own software and instead use commercial offtheshelf products for which SBOMs might not be readily available and may need to be generated specifically for the contractor and government transactions said a comment filed by Anderw Howell of the Operational Technology Cybersecurity Coalition a group representing industrial control systems vendorsppThe OTCC comments add that a separate SBOM memorandum from the Office of Management and Budget does not match that of the proposed rule arguing that such a dynamic would give contractors a headache The OMB memo lists SBOMs as an optional entity that can be provided upon request while the contractor directive requires SBOMs be listed for all software used in a contracting job regardless of a cybersecurity incidentppThe proposal also establishes an eight hour time window for contractors to report cyber incidents to CISA after their discovery a requirement that commenters have deemed too rigorous as it would not be enough time for companies to gather up resources and officially confirm a hackppYou want time for forensics teams for your inhouse folks to be able to actually look at data and find out what really happened Schneider said noting that in some cases firms may determine such incidents are falsely labeled cyberattacks And you need to then run that through the management chain and the leadership chainppNASA and our federal partners will review the comments received to inform next steps in the federal rulemaking process Jennifer Dooren a NASA spokesperson told NextgovFCWppDOD and our partners would like to thank all the companies who took the time to provide comments We are working our way through the adjudication process and will move on to the next step soon a Pentagon spokesperson told NextgovFCW in a statementppEditors note This article has been updated to include a statement from the DOD
pp
NEXT STORY
State Department to levy visa restrictions on spyware abusers
ppHelp us tailor content specifically for youp