New cyber rules aim to standardize requirements for federal contractors>
– Chris Riotta
The White House is proposing revisions to the Federal Acquisition Regulation (FAR) to standardize cybersecurity requirements and incident reporting guidelines for government contractors.
The proposed rules aim to establish consistent cybersecurity standards, information sharing measures, and cyber threat reporting for federal contractors.
The current contractual requirements for cybersecurity in unclassified federal information systems are agency-specific and lack standardization, leading to inconsistencies and additional costs.
The proposed rules will require contractors to collaborate with the Cybersecurity and Infrastructure Security Agency (CISA) and provide access to threat hunting and incident response initiatives.
In case of a security incident, relevant federal agencies will have full access to contractor information and systems.
Under the proposed guidelines, contractors will be required to develop and maintain software bills of materials (SBOMs) for all software used in federal contracts.
The revisions will also mandate the implementation of comprehensive cybersecurity frameworks to protect federal information systems and meet specific requirements for individual procurements.
The proposed rule aims to enhance the protection of federal information systems by standardizing minimum cybersecurity standards.
The administration is seeking input from contractors and stakeholders on reporting timelines for cyber incidents, managing varying requirements across the government, and concerns regarding providing access to information, equipment, and personnel during cyber incidents.
Feedback is also sought on collecting SBOMs, challenges in software inventory development, and the appropriate balance of responsibility between the government and contractors when evaluating SBOMs for software vulnerabilities.
These proposed revisions align with President Joe Biden’s cybersecurity executive order issued in May 2021, and aim to improve cybersecurity practices and consistency for government contractors.
Link: https://www.govexec.com/technology/2023/10/new-cyber-rules-aim-standardize-requirements-federal-contractors/390878/