Read at Theregister
Proposed changes to procurement rules would require IT service providers to allow government agencies full access to their systems during security incidents, according to a draft update to the federal acquisition regulation. The changes aim to improve security in response to recent cybersecurity incidents faced by public and private sector entities. The proposed rules include reporting incidents within eight hours, maintaining a software bill of materials, and providing full access to IT systems and personnel after an incident. However, industry respondents are unhappy with the proposed changes.
"SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that US public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals," the update from the three agencies reads.
IT service providers are unhappy with the proposed changes to procurement rules that would require them to allow government agencies full access to their systems during security incidents. The proposed rules aim to improve government security in response to recent cybersecurity incidents. However, industry respondents are not happy with the proposed changes, stating that compliance with information-sharing and incident-reporting requirements should not become material to eligibility and payment under government contracts.
Proposed changes are FAR from what industry wants