IT suppliers hacked off with Uncle Sam’s demands in aftermath of cyberattacks
Organizations that sell IT services to Uncle Sam are peeved at proposed changes to procurement rules that would require them to allow US government agencies full access to their systems in the event of a security incident.
The rules were unveiled in a draft update to the Federal Acquisition Regulation (FAR) that refreshes security reporting standards for government contractors in line with President Biden’s 2021 executive order on the topic.
Among the potential incoming requirements are:
- Contractors would have just eight hours to report a detected incident to the Cybersecurity and Infrastructure Security Agency (CISA), which would have to be updated every 72 hours thereafter;
- A software bill of materials (SBOM) would need to be maintained;
- After an incident, contractors would provide “full access” to IT systems and personnel for CISA and federal law enforcement agencies.
The above ideas – developed by Department of Defense (DoD), General Services Administration (GSA), and NASA – have been suggested in light of the many infosec threats facing the USA.
“SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that US public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals,” the update from the three agencies reads.
India’s absurd infosec reporting rules get just 15 followers
“These incidents share commonalities, including insufficient cyber security defenses that leave public and private sector entities more vulnerable to incidents,” the trio added. “This proposed rule underscores that the compliance with information-sharing and incident-reporting requirements are material to eligibility and payment under government contracts.”
Proposed changes are FAR from what industry wants
While you’d think rules to improve government security would be welcomed, industry respondents aren’t happy.
Even though they were first proposed in October of last year, the comment period on the FAR reporting requirements has ended after being extended for two months. With more than 80 responses, it’s clear many stakeholders wanted to have their say – and all the aforementioned provisions were questioned.
The Cloud Service Providers Advisory Board, (CSP-AB), which counts multiple major US cloud service firms among its members, described the new rules as “burdensome … on information technology companies who are already meeting a high security and compliance bar across the federal marketplace.”
The CSP-AB took particular umbrage with the FAR update’s SBOM requirements, arguing cloud service providers shouldn’t be required to submit them since they’re so frequently subject to change – sometimes “up to hundreds of times” per day.
The Information Technology Industry Council (ITIC), which represents a laundry list of heavy hitters, expressed dissatisfaction over the proposed reporting rules, describing them as adding “another hue of color to the kaleidoscope of incident reporting regimes” being passed by the US federal government of late.
ITIC said the eight-hour reporting requirement was “unduly burdensome and inconsistent” with other reporting rules, adding that the 72-hour update period “does not reflect the shifting urgency throughout an incident response.”
Even bug bounty biz HackerOne weighed in, arguing among other things that the provision requiring access to contractor systems by federal law enforcement in the wake of a security incident “has the potential to expose data and information from the contractor’s non-federal customers.”
“Non-federal customers may be reluctant to continue working with federal contractors, potentially forcing federal contractors to choose between selling to non-federal customers or the government,” HackerOne warned.
Reporting rules are myriad and inconsistent
There’s room to debate some of the complaints raised by commenters, but one thing’s for certain: Uncle Sam’s cyber incident reporting rules are growing in number – and each set of regulations is different.
The Securities and Exchange Commission (SEC) implemented a rule last summer requiring victims to report cyberattacks to it within four days when the incident could have a “material” impact on the business or investors. The Federal Trade Commission (FTC) followed suit in the fall with its own incident reporting rule, giving non-banking financial organizations 30 days to inform the commission of a successful break-in of their systems.
Volt Typhoon not the only Chinese crew lurking in US energy, critical networks
CISA, meanwhile, plans to follow suit with its own rules outlined by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law by President Biden in March 2022, with a two-year deadline to propose a rule. Due next month, CIRCIA will give companies in critical infrastructure sectors three days to report an incident.
Congressional representatives have expressed discontent with the SEC’s reporting rules and introduced a bill to kill its reporting requirement – citing too short a deadline and the fact that incident reporting should fall under CISA’s purview. The proposed FAR updates, as mentioned, give a mere eight hours.
All of these various reporting requirements are likely to lead to what the ITIC describes as “misalignment” among reporting requirements, with the council calling for “the establishment of one authoritative incident reporting process across the federal government and regulated sectors.”
“Several incident reporting regimes are potentially suitable candidates,” ITIC EVP of public sector policy Gordon Bitko wrote in the org’s submission, suggesting rules set by CIRCIA and the SEC as suitable alternatives.
“The rule should identify one coordinating agency, ideally CISA [which] should be the focal point for all reporting and subsequent investigations,” Bitko added, echoing calls from other commenters and representative Andrew Garbarino (R-NY), who introduced a House bill to kill the SEC’s reporting requirements.
We’ve asked NASA, the GSA, and DoD for comment, and have not received a response at the time of publication. ®
READ MORE HERE