Read at Databreaches
Organizations that sell IT services to the US government are upset with proposed changes to procurement rules that would mandate full access to their systems in the event of a security incident. The changes are part of a draft update to the Federal Acquisition Regulation (FAR) that aligns with President Biden's executive order on cybersecurity. Among the potential new requirements are that contractors must report incidents within eight hours to the Cybersecurity and Infrastructure Security Agency (CISA) and provide full access to their IT systems and personnel for CISA and federal law enforcement agencies.
The rules were unveiled in a draft update to the Federal Acquisition Regulation (FAR) that refreshes security reporting standards for government contractors in line with President Biden's 2021 executive order on the topic.
The proposed changes have drawn criticism from IT service providers who argue that providing full access to their systems poses a significant risk to the confidentiality and security of their clients' data. The requirement for contractors to report incidents within such a short timeframe of eight hours has also been deemed impractical. However, supporters of the changes argue that full access to systems and prompt reporting of incidents are necessary for government agencies to effectively respond to and mitigate cyber threats.
Contractors would have just eight hours to report a detected incident to the Cybersecurity and Infrastructure Security Agency (CISA), which would have to be updated every 72 hours thereafter; A software bill of materials (SBOM) would need to be maintained; After an incident, contractors would provide 'full access' to IT systems and personnel for CISA and federal law enforcement agencies.
#us-procurement-rules #it-service-providers #security-incident #federal-acquisition-regulation #cybersecurity