In response to growing cybersecurity concerns and the imperative to safeguard critical infrastructure, the Federal Acquisition Regulatory (FAR) Council has introduced two proposed rules that could significantly impact government contractors. These rules, open for public comment until December 4, 2023, have broader implications for both cybersecurity and compliance. Here's an overview of the key takeaways:
Cyber Incident Reporting and Information Sharing: The first proposed rule requires contractors to investigate and report cybersecurity incidents swiftly, with indicators of potential breaches. This information will be shared with the Cybersecurity and Infrastructure Security Agency (CISA), which can trigger updates and data preservation requirements. Contractors should prepare to represent compliance accurately in government contracts. False claims regarding cybersecurity could lead to risks of enforcement actions under the False Claims Act.
Software Bills of Materials (SBOMs): One long-awaited requirement is the SBOM, which is a detailed list of software components used in a product or service. This list is crucial for prompt identification of vulnerabilities during incident responses. Contractors will need to produce machine-readable SBOMs in line with government guidelines.
Information Sharing: Contractors must cooperate with CISA, the FBI, and other agencies, providing them access and necessary support during threat hunting and incident responses. However, access must adhere to relevant laws and regulations, presenting interpretive challenges.
Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems (FIS): The second proposed rule offers standardized cybersecurity policies and controls for contractors handling unclassified federal information systems. These standards promote consistency and cybersecurity preparedness.
Compliance Risks: These proposed rules increase the potential for False Claims Act investigations and qui tam litigation related to cybersecurity. Contractors should focus on providing accurate representations regarding cybersecurity compliance.
The proposed rules underscore the Biden administration's commitment to enhancing cybersecurity in response to recent incidents and breaches. Contractors should assess their impact, particularly the Cyber Incident Rule, which may affect various contractors, including those serving civilian agencies.
Understanding the definitions, implementation challenges, and potential compliance obligations is essential. Additionally, contractors and stakeholders may consider submitting comments on these rules by the December 4, 2023, deadline. Stay vigilant, prioritize compliance, and be ready to adapt to evolving cybersecurity requirements.
Chief Spectrum Management & Technology
1moKindly take note that further to a support ticket raised with the EC eGrants Service Desk, they confirm that encoding a new keyword (ECCC) under the expertise section in ‘My Profile’ does not work and is an ongoing error. The query has been transferred to the development team. Meanwhile, it would be appreciated if experts who cannot add the open keyword are not discriminated against.