Priya PatelTLDR:
- Proposed changes to the Federal Acquisition Regulation would require federal contractors to disclose cyber incidents to the Cybersecurity and Infrastructure Security Agency within eight hours and provide a software bill of materials.
- Industry organizations have criticized the burdensome nature of these changes and their potential conflicts with existing regulations.
- Cloud service providers argue that they should be exempt from submitting software bill of materials due to continuous updates.
- The Information Technology Industry Council expressed concerns about the proposed changes conflicting with SEC rules and existing regulations for cyber incident reporting.
- HackerOne raised concerns about requiring federal law enforcement access to compromised systems, which could lead to unintended data exposure.
Several industry organizations have voiced their criticism of proposed changes to the Federal Acquisition Regulation that would mandate stricter cyber incident reporting requirements for federal contractors. The changes would require contractors to disclose cyber incidents to the Cybersecurity and Infrastructure Security Agency within an eight-hour window and provide a software bill of materials.
The Cloud Service Providers Advisory Board argued that cloud service providers should not be required to submit software bill of materials due to the continuous updates involved in their services. They believe that this requirement would create unnecessary burdens for the industry.
The Information Technology Industry Council also expressed concerns about the proposed changes conflicting with existing regulations. They believe that the changes clash with Securities and Exchange Commission rules and the Cybersecurity and Infrastructure Security Agency’s regulations under the Cyber Incident Reporting for Critical Infrastructure Act.
HackerOne, a cybersecurity company, raised concerns about the proposed requirement for federal law enforcement access to compromised contractor systems. They believe that this could unintentionally expose sensitive data and lead to unintended consequences.
Overall, industry organizations are criticizing the additional burdens and potential conflicts presented by the proposed changes to the Federal Acquisition Regulation. These organizations argue that the changes could have negative consequences for federal contractors and hinder their ability to work with non-federal customers. They are calling for a reconsideration of these changes in order to strike a better balance between cybersecurity requirements and operational challenges.
