Stakeholders are cautiously optimistic over two long-awaited cyber rules issued today that make changes to the government’s info-sharing requirements for contractors, unclassified federal information systems and the use of a Software Bill of Materials.
The first rule focuses cyber threats, incident reporting and information sharing. It would also require federal contractors to maintain and provide an SBOM for “each piece of computer software used in the performance of a contract.”
The second rule sets up requirements for protecting unclassified federal information systems that are used on-premise or in the cloud. The rule is largely based on mandates from Executive Order 14028, while also offering parameters for contractors to use NIST guidance for securing Internet of Things devices operating on federal information systems.
The two proposed rulemakings were published today in the Federal Register and have a 60-day public comment period. Work continues on a third FAR rule required in the cyber EO on software supply chain security.
The Information Technology Industry Council focused on the first rule in comments to Inside Cybersecurity.
Leopold Wildenauer, senior manager of policy for public sector, said, ““Based on our initial review, the proposed rules have the potential to reshape significant parts of the federal contractor landscape as they apply to all prime and subcontractors providing products and services to the federal government, including commercial and COTS products.”
Wildenauer said, “To streamline incident reporting and enable impacted entities to respond in a meaningful and efficient way, we urge the administration to harmonize incident reporting requirements across agencies, including between FAR Case 2021-017 and the regulations examined in the recently released [Cyber Incident Reporting Council] report. Specifically, we recommend adherence to the CIRC-developed model reporting timelines of 72 hours rather than the proposed eight-hour window.
“Further, we note that the proposed flow down of a mandatory SBOM requirement would disproportionately impact those (smaller and medium sized) businesses that have not yet had the resources to mature their own capabilities,” Wildenauer said.
Henry Young of BSA-The Software Alliance weighed in on what the SBOM requirement will mean for contractors.
Young said, “SBOMs promise to improve cyber incident response, and both industry and government have invested heavily in the working to make SBOMs actionable. BSA supports the administration's work on regulatory harmonization, which will help bolster our cybersecurity posture.
“These proposed rules underscore the importance of taking a coordinated approach with ongoing work at CISA, and we hope any final rule will provide the space for that work to continue and ensure efforts are harmonized across government,” according to Young.
Ross Nodurft of the Alliance for Digital Innovation commented, “"These FAR cases - in many areas - take a thoughtful approach to rule making. In some of the areas where implementation of various security processes may be difficult, the FAR Council asks for feedback and input about the best path forward. We appreciate the collaborative process that the FAR Council is taking, and we hope that feedback that industry provides will be seriously taken into consideration as the rule continues to be developed." -- Sara Friedman (sfriedman@iwpnews.com)