February 7, 2024 at 07:12PM
Proposed changes to US government procurement rules would require IT service organizations to provide full access to their systems in the event of a security incident. These requirements, developed by DoD, GSA, and NASA, have faced criticism from industry respondents who find them burdensome and inconsistent with other reporting rules. The growing number of cyber incident reporting rules from different federal agencies raises concern about alignment and coordination.
Key takeaways from the meeting notes:
1. Proposed changes to the Federal Acquisition Regulation (FAR) aim to update security reporting standards for government contractors in line with President Biden’s 2021 executive order. The changes include requirements such as reporting security incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within eight hours and providing access to IT systems and personnel for investigation by CISA and federal law enforcement agencies.
2. The proposed changes have received mixed reactions from industry stakeholders, with many expressing dissatisfaction and raising concerns about the burden and inconsistency of the reporting requirements.
3. Multiple organizations, including the Cloud Service Providers Advisory Board (CSP-AB) and the Information Technology Industry Council (ITIC), have voiced opposition to the FAR update’s provisions, particularly the Software Bill of Materials (SBOM) requirements and the reporting timeframes.
4. The growing number of incident reporting rules, including those from the Securities and Exchange Commission (SEC) and the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), has led to concerns about misalignment and the need for a unified incident reporting process.
5. Representatives have expressed discontent with the SEC’s reporting rules and introduced a bill to address the reporting deadline and the appropriate agency for incident reporting.
Please let me know if there is anything specific you would like to focus on or if you need further information.