Earlier this year, the Coalition for Government Procurement submitted comments on FAR Case 2021-017, “Federal Acquisition Regulation: Cyber Threat and Incident Reporting and Information Sharing.” That process presented an opportunity to address the procedural substance of incident reporting, as well as the challenges the stakeholder community faces as multiple regimes addressing various aspects of cybersecurity are implemented.
Specifically, in recent comments submitted on behalf of Coalition members, we pointed out that stakeholders have been addressing multiple cyber-related rulemakings, including:
- DoD’s Cybersecurity Maturity Model Certification (CMMC) Program 2.0
- Revisions to NIST 800-171 including Software Bills of Materials
- The implementation of the Federal Risk and Authorization Management Program (FedRAMP)
- Cyber incident reporting generally, and
- Ongoing implementation of Section 889 (regarding the restriction on the use of certain communications and video technologies)
That is a lot of cyber-related regulatory activity. To this point, in addressing one of the provisions of the Cyber Threat and Incident Reporting FAR Case, specifically, the required incident reporting within eight hours of discovering its occurrence, with subsequent updates every 72 hours thereafter, we identified the need for coordination. After noting that short timelines run the risk of inundating the government with false positive reports to make sure compliance obligations are fulfilled, along with the fact that they take away contractor time from efforts to mitigate cyber incidents, we recommended that the government:
…harmonize the proposed rule with the 72-hour reporting requirement established by the DFARS and the CIRCIA [(CISA’s Cybersecurity Incident Reporting for Critical Infrastructure Act)] to afford contractors more time to conduct initial investigations, prepare a preliminary report, and begin remediation efforts. Further, subsequent updates should be required only for material changes.