Stakeholders criticize incident reporting window in proposed rule to establish CUI requirements for federal contractors

Three industry groups are urging the Federal Acquisition Regulatory Council to revisit a proposed eight-hour requirement for federal contractors holding controlled unclassified information to report cyber incidents, as part of a notice of proposed rulemaking targeted at civilian agencies.

“The proposed 8-hour incident reporting timeline diverges from existing incident reporting requirements and best practices. As such, it drives fragmentation instead of harmonization of federal incident reporting practices. Harmonization is particularly critical to contractors who support multiple agencies as it ensures...