The Federal Acquisition Regulation (FAR) Council has proposed a new cybersecurity rule (FAR-2021-0017) that will impact government contractors, marking another step forward in cybersecurity regulation. These changes are not just bureaucratic red tape; they bring about core adjustments that directly affect many contractors. If effective, this rule may have a farther-reaching impact on any business or industry as broader rules are also necessary.
From new protocols on SBOMs to stipulations on how contractors should collaborate with CISA, the proposed rule offers some notable changes. It also tightens the timeline for incident reporting and opens discussions on international compliance challenges. We’ll delve into the key changes, their impact, and what they mean for contractors.
Table of Contents
Key Changes From the Proposed Cybersecurity Rule
1. New Rules for Software Bills of Materials (SBOMs)
2. Collaborating With CISA To Reduce Risks
3. Full Access to Contractor Data for Incident Response
4. Navigating Foreign Compliance
5. Changes in Incident Reporting
Widespread Benefits of the Cybersecurity Rule
The Impact on Government Contractors
Concerns Over Government Overreach With Cybersecurity Rule
Why New Cybersecurity Rules Are Being Proposed
Conclusion: What Contractors Should Keep in Mind
Key Changes From the Proposed Cybersecurity Rule
The proposed cybersecurity rule introduces several changes aimed at fortifying the IT infrastructure and enhancing incident response. While the policies are aimed at government contractors, they may lead to broader shifts for other businesses and industries. We’ve highlighted some of the key changes below.
1. New Rules for Software Bills of Materials (SBOMs)
The cybersecurity rule mandates contractors to maintain an SBOM for any software used in contract fulfillment. SBOMs list all software components, aiding in quickly identifying vulnerabilities during a security incident. That allows for swifter incident response when locating compromised elements. The rule also seeks public input on various SBOM aspects, such as collection methods, developmental challenges, and update protocols.
2. Collaborating With CISA To Reduce Risks
Another piece is to change the way contractors engage with the Cybersecurity and Infrastructure Security Agency (CISA) for threat hunting and incident response. This approach allows CISA to understand system weaknesses and potential threats better. CISA would then offer advice on how to strengthen these vulnerable systems. Before taking any steps based on this advice, the contractor would discuss it with the agency they’re working for. The goal is to work together to reduce risks more effectively.
3. Full Access to Contractor Data for Incident Response
The new guidelines will grant key governmental agencies access to relevant contractor data, information systems, and personnel. This access is triggered during a security incident, whether reported by the contractor or identified by the government. This provision aims to streamline the response process, allowing rapid action to mitigate risks and address security concerns.
4. Navigating Foreign Compliance
The proposed cybersecurity rules outline that contractors and subcontractors should report security incidents and take extra steps to support incident response. However, government agencies also acknowledge it’s a complex challenge. Contractors operating in foreign countries may be subject to those countries’ laws restricting information sharing with the U.S. Government. As a result, discussions are still ongoing to address foreign compliance better.
5. Changes in Incident Reporting
The proposed rule mandates a streamlined incident reporting system. Businesses must report security incidents within eight hours, boosting the effectiveness of any response plan. Quick reporting enables timely data analysis, helping to identify threats. Even incomplete initial reports offer early warnings and can minimize damage from a cyberattack. These reports must be updated every 72 hours, enabling continuous communication and countermeasures.
The goal is to standardize incident reporting timelines across governmental agencies and frameworks. Currently, reports can happen anywhere from one to 72 hours. If an attack is targeting multiple businesses, the scale isn’t always known right away due to differences in report times. Unifying to an upfront eight-hour reporting requirement ensures greater consistency in incident response.
Widespread Benefits of the Cybersecurity Rule
The new cybersecurity rule is a vital step toward better safety and financial stability in the U.S. It aims to reduce the high cost of cyber-attacks, which stole as much as $109 billion from the U.S. economy in 2016 alone. The rule is about more than just data; it protects essential systems that keep our country running safely. It also aligns with Executive Order 14028, which encourages the government and businesses to work together to improve cybersecurity for everyone.
Another plus is the rule’s focus on future technology needs. For example, it pushes for using IPv6, an updated internet protocol. That is important for meeting the growing demand for new IP addresses and keeping the U.S. ahead in technology. The rule also looks at the big picture, factoring in the technology we use for data and the technology that controls machines. By setting high safety standards for government systems, it encourages other sectors to do the same.
The Impact on Government Contractors
Understanding the proposed cybersecurity rule is one thing; preparing for its real-world impact is another. For government contractors, the rule changes may have several practical implications beyond mere compliance. Here’s how:
Day-to-Day Operations: With the new rule mandating SBOMs, contractors would need to maintain meticulous records of all software components. That could entail more rigorous procurement and auditing processes, affecting the speed at which projects are executed.
Cost Impact: The added administrative and operational efforts will likely increase costs. Whether it’s hiring additional staff for compliance monitoring or investing in new software tools to facilitate reporting, contractors should prepare for a likely uptick in operational expenses.
Resource Allocation: Enhanced collaboration with CISA means that some personnel must be designated for regular interaction with the agency. Also, given the tightened timelines for incident reporting, dedicated teams may be needed to manage this aspect alone, ensuring that the eight-hour initial reporting and subsequent 72-hour updates are consistently met.
International Challenges: For those operating internationally, the cost and complexity of compliance could be even higher. Adhering to U.S. and foreign regulations may require specialized legal advice and could complicate data-sharing protocols, adding another layer to operational considerations.
Technical Upgrades: The need for rapid incident reporting and data sharing could necessitate upgrades to current IT systems. This would ensure quick, secure, and efficient data transmission to meet new regulatory requirements.
Training: Staff will need training to understand the new processes and regulations. That could range from understanding what constitutes a ‘security incident’ that requires reporting to the nitty-gritty of generating and maintaining SBOMs.
Legal Preparedness: With the new rule, the contractual obligations and liabilities may change. Contractors would be well-advised to revisit their legal frameworks, possibly necessitating updates to contracts and agreements with both clients and third-party vendors.
Contractors should start preparing for these changes to ensure a smoother transition when the rule eventually becomes law. Proactive planning can help mitigate the challenges and potential costs involved.
Concerns Over Government Overreach With Cybersecurity Rule
While the new rules aim to enhance cybersecurity, they also pose questions about the extent of government access to private company data. Complete access to a contractor’s data and systems in the event of a security incident could be a slippery slope, leading to concerns about privacy and the boundaries of government influence. Clearly defining the scope and limitations of this access is crucial, mainly when it involves the private sector.
The agencies responsible for the proposed changes actively seek public input on various aspects, from software management to the intricacies of international compliance. This openness to feedback suggests an awareness of the complexity and sensitivity of these issues. However, the balance between robust cybersecurity and preventing government overreach remains a delicate issue that requires thoughtful discussion and transparent guidelines.
Why New Cybersecurity Rules Are Being Proposed
The drive for new cybersecurity rules has been an ongoing process over the past few decades. Recent changes come in response to the growing number of incidents across most industries. Some recent examples include the University of Minnesota data breach and the Microsoft stolen authentication token. Both incidents had widespread implications for individuals and cybersecurity. With even major corporations and universities being vulnerable to cyberattacks, this underlines the evolving and complex nature of threats.
Hacking and data breaches aren’t the only risks, either. Other cyber activities, like phishing campaigns and IT mistakes, can cause additional problems and potentially lead to hefty fines. The variety of incidents and their success underscores the need for a more standardized approach to cybersecurity, particularly for managed service providers (MSPs) involved in government contracts.
Conclusion: What Contractors Should Keep in Mind
Navigating the world of cybersecurity just got more complex with the new rule from the Federal Acquisition Regulation (FAR) Council. To simplify, these are the essential points that government contractors should be aware of:
- A new Software Bill of Materials (SBOM) will be required. Think of this as a list of all software components aimed at identifying security risks quickly.
- Collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) is encouraged. That allows cybersecurity experts to better understand and address security vulnerabilities.
- In the event of a security issue, government agencies will now have the right to access contractor data and systems. The aim is to respond faster to security threats, though it raises privacy concerns.
- A new timeline for reporting security incidents is set. An initial report must be submitted within eight hours, with updates every 72 hours after that. The goal is more consistent responses to security issues.
For contractors operating abroad, the rule also highlights the difficulties of adhering to both U.S. and international laws. Ongoing discussion is happening to better solidify the best way to make these changes while still respecting the laws of other countries.
These changes will likely impact day-to-day operations and could raise costs or necessitate additional resources. However, public input on these changes is welcomed by the government, indicating an understanding of the complexities involved. In summary, these new guidelines aim to bolster cybersecurity but come with challenges requiring careful thought.