The proposed rules would create new information sharing and incident reporting requirements.
The White House is proposing a series of revisions to the Federal Acquisition Regulation to standardize cybersecurity requirements and establish new incident reporting guidelines for government contractors, in a notice set to publish tomorrow in the Federal Register.
The General Services Administration, Department of Defense and NASA proposed new rules for federal contractors that would develop standardized contract language around cybersecurity requirements, along with a variety of additional information sharing and cyber threat reporting measures.
The proposals note that current contractual requirements for cybersecurity standards of unclassified federal information systems are "largely based on agency-specific policies and regulations" that can result in "inconsistent security requirements across contracts." Non-standardized cybersecurity requirements also create confusion, additional costs and further restrict competition, according to the proposed rules.
Contractors will be required to provide access to and collaborate with the Cybersecurity and Infrastructure Security Agency on the agency's threat hunting and incident response initiatives under the new rules. In the event of a security incident, the FBI, Department of Justice and contracting agency will also be provided "full access to applicable contractor information and information systems," in addition to contractor personnel.
The new rules stem from the cybersecurity executive order issued by President Joe Biden in May 2021.
Under the proposed guidelines, contractors will be required to develop and maintain software bills of materials — or SBOMs — for all software used as part of a federal contract.
The FAR revisions will task contractors with implementing and leveraging comprehensive cybersecurity frameworks that help protect federal information systems. Contractors will also have to prove they meet specific requirements for individual procurements and to work with and maintain high-value systems.
"By standardizing a set of minimum cybersecurity standards to be applied consistently to FISs, the proposed rule would ensure that such systems are better positioned in advance to protect from cyber threats," the rule proposal states.
Contractors and other key stakeholders are invited to provide comments within 60 days on reporting timelines for cyber incidents and how contractors may be able to manage varying timelines and requirements across the federal government, in addition to any concerns about providing CISA, the FBI and other federal agencies with full access to information, equipment and personnel during cyber incidents.
The administration is also seeking input about how SBOMs can be collected from contractors, what challenges may arise in the development of the software inventories and what is the appropriate balance between government and contractors when evaluating SBOMs for potential software vulnerabilities.