Proposed contractor cyber reporting rule sets a ‘significantly problematic’ bar, industry groups say

Cybersecurity and technology trade groups are urging agencies to rethink a proposed measure that would intensify requirements for federal contractors when they report cybersecurity incidents, arguing they are inconsistent with other cyber regulations and demand too much from contracted firms targeted in cyberattacks.

The proposed rule from the Pentagon, GSA and NASA — the agency trio that jointly issues policy measures tied to the Federal Acquisition Regulation — would, among other things, require contractors to develop a Software Bill of Materials — or SBOM — for all software used when performing contracting tasks, as well as notify the Department of Homeland Security of a security incident within eight hours of its discovery.

The agencies proposed the statute in October, and interested parties were later granted a two-month extension to provide feedback, with the window for new comments closing on Friday. The proposal, which would amend FAR, was justified under a May 2021 executive order signed by President Joe Biden aimed at shoring up the nation’s cybersecurity posture, as well as contracting directives outlined in the National Cyber Strategy released last year.

“Recent cybersecurity incidents such as those involving SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals,” the proposal says.

Chief among industry group complaints is language that would grant DHS’s Cybersecurity and Infrastructure Security Agency and the FBI complete access to contractors’ information systems and personnel when responding to a cyber incident.

“Policymakers should engage directly with industry before moving ahead with this significantly problematic provision,” the Chamber of Commerce said in comments, arguing that such access is an “unprecedented” stance that amounts to a privacy violation.

The Alliance for Digital Innovation, which jointly submitted remarks with the Cybersecurity Coalition, argued that the government may inadvertently gain access to non-federal customers of an impacted contractor under the current proposal.

“There’s really no bar or threshold for when that access would be allowed, or scope for what the access would entail, both of which are really big concerns,” Grant Schneider, an ADI senior advisor, said in a phone interview, adding that the agencies should instead consider taming the proposal to require contractors to open up only certain systems to federal investigators if they choose to not be forthcoming in cyber incident disclosures.

Others have complained about the proposal’s SBOM demands, contending they are not aligned with other federal software regulations.

SBOMs, or itemized lists of components that make up software products, have been widely viewed as a helpful tool in advancing software security by enabling organizations to identify potential exposures in their technology. But some argue that requiring SBOMs is cumbersome because various regulations have defined their scope differently. Lawmakers notably excluded a federal contractor SBOM measure from a must-pass defense policy bill in 2022. 

Most contractors “do not create their own software and instead use commercial off-the-shelf products for which SBOMs might not be readily available and may need to be generated specifically for the contractor and government transactions,” said a comment filed by Anderw Howell of the Operational Technology Cybersecurity Coalition, a group representing industrial control systems vendors.

The OTCC comments add that a separate SBOM memorandum from the Office of Management and Budget does not match that of the proposed rule, arguing that such a dynamic would give contractors a headache. The OMB memo lists SBOMs as an optional entity that can be provided upon request, while the contractor directive requires SBOMs be listed for all software used in a contracting job, regardless of a cybersecurity incident.

The proposal also establishes an eight hour time window for contractors to report cyber incidents to CISA after their discovery, a requirement that commenters have deemed too rigorous as it would not be enough time for companies to gather up resources and officially confirm a hack.

“You want time for forensics teams, for your in-house folks to be able to actually look at data and find out what really happened,” Schneider said, noting that, in some cases, firms may determine such incidents are falsely labeled cyberattacks. “And you need to then run that through the management chain and the leadership chain.”

“NASA and our federal partners will review the comments received to inform next steps in the federal rule-making process,” Jennifer Dooren, a NASA spokesperson told Nextgov/FCW.

"DOD and our partners would like to thank all the companies who took the time to provide comments. We are working our way through the adjudication process and will move on to the next step soon," a Pentagon spokesperson told Nextgov/FCW in a statement.

Editor's note: This article has been updated to include a statement from the DOD.