Following an executive order to standardize contractual requirements for cybersecurity across federal agencies, the Department of Defense, the General Services Administration, and NASA have proposed revisions to federal regulations governing procurement. The proposed rules would impose uniform reporting requirements and cybersecurity standards for companies doing business with the U.S. Government.
The proposed rules also cover threat intelligence, incident reporting, and incident response, as well as certain requirements for federal information systems (“FIS”). For instance, contractors would be required to investigate security incidents immediately and thoroughly, and to share information with the Cybersecurity and Infrastructure Security Agency (CISA). Disclosure to CISA would need to be made within eight hours following a security incident. Contractors would also be required to provide updates every 72 hours after the initial disclosure to CISA. The proposed rules outline incident response requirements, such as preserving data for at least 12 months, customizing files, and providing full access to contractors’ information systems and equipment necessary for forensic analysis following security incidents.
Additionally, contractors would be required to establish and manage a software bill of materials (“SBOM”), a detailed record of each piece of computer software used by contractors in the performance of their services to federal agencies. For businesses with good cybersecurity hygiene, this should not be a burdensome requirement, as maintaining an SBOM has been recognized as a best practice for years.
The proposed rules also outline requirements for operating any FIS used on behalf of federal agencies. Compliance with the requirement will involve assessment of vulnerabilities and cyber threats, as well as performance of independent assessments of the federal information systems used. After such assessments, the federal agencies could mandate improvements or steps to mitigate risk and outline privacy contours necessary for contract performance. More importantly, the proposed rules would allow the federal government to seek indemnification for liabilities arising out of contractors’ mishandling of information.
Since these proposed rules would modify compliance standards for federal contractors, affected parties should consider submitting comments by December 4, 2023.