BSA-The Software Alliance is arguing for the Federal Acquisition Regulatory Council to abandon its plan to allow CISA and law enforcement agencies the ability to access contractor systems in the event of a security incident, as part of a proposed rule implementing key components of the 2021 cyber executive order.
“This proposed rule seems to forget or ignore what both EO 14028 and the Constitution recognize. Instead, the proposed rule would give law enforcement a staggering amount of access to the information and information systems of private companies, without clear protections for the private and sensitive personal data often stored in such systems and without any safeguards against the intentional or negligent misuse of such unrestricted access,” BSA says in comments submitted on Feb. 2.
The Defense Department, the General Services Administration and NASA issued a proposed rule on Oct. 3 to amend the FAR to “increase the sharing of information about cyber threats and incident information between the Government and information technology and operational technology service providers.”
BSA outlines two reasons for deleting the requirement from the proposed rule.
First, BSA says the rule “undermines privacy and security protections.” Contractors would be required to “provide ‘full access and cooperation’ to CISA, the FBI, and the contracting agency, if any of those entities determine such access is needed to investigate or respond to an incident,” BSA says.
The filing says, “The proposed rule fails to offer any substantive protections for information held on the contractor’s systems, or any limits on the length and extent of the government’s access. This requirement may provide access to not just the contractor’s own data (which may be commercially sensitive or involve trade secrets) but also the personal data of individuals stored on that contractor’s system.”
Second, BSA says, “the proposed rule broadly undercuts the United States Government’s goal of procuring secure and reliable technologies that keep information private. Contractors should be encouraged to adopt privacy-protective and security-protective practices, including limiting access to both their overall services and to the data stored on those services. Requiring contractors to allow ‘full access’ to their systems undermines these goals, and will result in less private and less secure services.”
“In addition, this type of access will create challenges for contractors operating in foreign countries, particularly when the contractor also serves foreign customers that require the contractor to commit to strict limits on how governments can access information stored with the contractor,” according to BSA.
The proposed rule also contains a requirement for contractors to “develop and maintain” a Software Bill of Materials for any software that is used during the performance of a contract.
BSA is opposed to the requirement, arguing that SBOMs are “not ready” to be used for procurement.
The filing says, “Governments and industry are working to develop and standardize SBOMs so that software producers can create them but also so that customers can use them. Much of this work is being led by CISA, and includes weekly meetings of government and industry experts to work on the vulnerability exploitability eXchange (VEX) model, sharing and exchanging SBOMs, adoption of SBOMs, and tooling and implementation of SBOMs.”
BSA writes, “Supporting these continued efforts, rather than adding requirements before stakeholders have finished their work, will advance the FAR Council’s goals.”
BSA also argues that establishing the requirement would “undermine harmonization of SBOM requirements US Government agencies are currently working to develop a holistic approach to SBOMs.”
The software group adds, “If the FAR Council aligns its work with the US National Cybersecurity Strategy, it must work toward harmonization with the broad swath of proposed laws and policies that are currently being contemplated or implemented.”
“BSA suggests the FAR Council revisit requirements relating to SBOMs after the cybersecurity community completes its on-going efforts and ensures its requirements are harmonized with these efforts,” the filing says.
BSA’s filing goes into more detail on the need to harmonize security incident reporting in the rule with CISA’s upcoming regime for critical infrastructure and asks the FAR Council to reconsider its scoping of what is considered “government-related data.” -- Sara Friedman (sfriedman@iwpnews.com)