The Pentagon, NASA, and the General Services Administration jointly are proposing two new cybersecurity rules, one to revise the Federal Acquisition Regulation (FAR) to require contractors to report compromises of their information and communications technology systems, and the other to streamline requirements across federal agencies and make it easier for contractors to comply.
The lengthy proposed rules were published in the Oct. 3 issue of the Federal Register. Comments are due by Dec. 4, 2023.
The proposed Federal Acquisition Regulation: Cyber Threat and Incident Reporting and Information Sharing rule stems from President Biden’s May 12, 2021 Executive Order 14028, Improving the Nation’s Cybersecurity.
The proposal outlines five requirements for eligibility to receive, and be paid under, government contracts. The first is a new requirement to develop and maintain a software bill of materials (SBOM) used in contracts. An SBOM, like an ingredient or materials list, includes the artifacts that make up software.
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) says an SBOM “has emerged as a key building block in software security and software supply chain risk management.”
Another proposed requirement would allow CISA to reach out to contractors to provide services related to threat hunting and incident response, giving the agency visibility into contractor networks to check for potential threats, reduce risks, and ultimately recommend action items.
The proposal also would give CISA, the FBI, and the contracting agency “full access to applicable contractor information and systems” if the contractor reports a security incident or if the government identifies an incident.
Upon discovering a security incident, contractors have up to eight hours to report the information to CISA and provide updates every three days until an investigation is complete and threats have been eliminated.
However, DoD, NASA, and the GSA acknowledge that there are currently different cyber incident reporting requirements across government, ranging from an hour to 72 hours after an incident has been discovered. As such, they are seeking public feedback on harmonizing incident reporting.
The agencies also want to hear about options for contractors and subcontractors that are operating in foreign countries and that may be subject to laws in those countries regulating what information can be shared with the U.S. government.
A separate proposed rule, Federal Acquisition Regulation: Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems, is being driven by EO 14028 and the Internet of Things Cybersecurity Improvement Act of 2020. This proposal seeks to standardize minimum cybersecurity requirements across the government so that they can be “applied consistently” to federal information systems.
If approved, the rule would also require agencies to update their respective requirements and remove any that duplicate FAR statutes.