Cybersecurity and technology trade groups are urging agencies to rethink a proposed measure that would intensify requirements for federal contractors when they report cybersecurity incidents, arguing they are inconsistent with other cyber regulations and demand too much from contracted firms targeted in cyberattacks.
The proposed rule, from the Pentagon, GSA and NASA, would, among other things, require contractors to develop a Software Bill of Materials — or SBOM — for all software used when performing contracting tasks, as well as notify the Department of Homeland Security of a security incident within eight hours of its discovery.
The agencies proposed the statute in October, and interested parties were later granted a two-month extension to provide feedback, with the window for new comments closing on Friday. The proposal was justified under a May 2021 executive order signed by President Joe Biden aimed at shoring up the nation’s cybersecurity posture, as well as contracting directives outlined in the National Cyber Strategy released last year.
Chief among industry group complaints is language that would grant DHS’s Cybersecurity and Infrastructure Security Agency and the FBI complete access to contractors’ information systems and personnel when responding to a cyber incident.
Others have complained about the proposal’s SBOM demands, contending they are not aligned with other federal software regulations.
The proposal also establishes an eight hour time window for contractors to report cyber incidents to CISA after their discovery, a requirement that commenters have deemed too rigorous as it would not be enough time for companies to gather up resources and officially confirm a hack.
“NASA and our federal partners will review the comments received to inform next steps in the federal rule-making process,” Jennifer Dooren, a NASA spokesperson told Nextgov/FCW. “DOD and our partners would like to thank all the companies who took the time to provide comments. We are working our way through the adjudication process and will move on to the next step soon,” a Pentagon spokesperson told Nextgov/FCW in a statement.