Teacher
Professional
- Messages
- 2,669
- Reaction score
- 819
- Points
- 113
The new rules turn any security incident into a bureaucratic hell.
IT companies serving the US government expressed dissatisfaction with the proposed changes to the procurement rules, according to which in the event of a cyber incident, they will have to provide full access to their systems to US government agencies.
These changes are proposed as part of an update to the Federal Procurement Rule that aims to improve security standards for government IT contractors in line with President Biden's 2021 executive order.
Possible new requirements include: contractors will be required to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within eight hours of their detection, updating information every 72 hours; it will be necessary to maintain an up-to-date software specification (SBOM); after an incident, contractors will be required to provide full access to their IT systems to CISA employees. and federal law enforcement agencies.
The proposals were developed by the US Department of Defense, the General Services Administration and NASA in response to the cybersecurity threats facing the US. Incidents involving products such as SolarWinds, Microsoft Exchange, and Colonial Pipeline highlight the vulnerability of both public and private sectors to complex cyber threats.
The proposed changes quickly caused discontent in the industry. For example, the Cloud Service Providers Advisory Board (CSP-AB) and the Information Technology Council (ITIC) expressed concern that the new rules may be burdensome and disproportionate. In particular, the SBOM requirement and the limited time frame for reporting incidents have drawn criticism for their impracticality and possible negative impact on working with non-federal clients.
Overall, the United States has recently seen a significant increase in the number of rules related to reporting cyber incidents. Moreover, depending on the type of organization and the nature of the incident, the required reporting actions may vary greatly, which makes it difficult for organizations to comply with these rules.
In the context of these discussions, there is a call for a unified, authoritative incident reporting process that is applicable across the federal level and in regulated sectors. This approach would avoid inconsistencies and duplication of efforts for organizations facing cyber threats.
Experts also emphasize the importance of selecting a single coordinating agency that would serve as the central hub for all reports and subsequent investigations of cyber incidents, thereby simplifying the reporting process and increasing its effectiveness.
IT companies serving the US government expressed dissatisfaction with the proposed changes to the procurement rules, according to which in the event of a cyber incident, they will have to provide full access to their systems to US government agencies.
These changes are proposed as part of an update to the Federal Procurement Rule that aims to improve security standards for government IT contractors in line with President Biden's 2021 executive order.
Possible new requirements include: contractors will be required to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within eight hours of their detection, updating information every 72 hours; it will be necessary to maintain an up-to-date software specification (SBOM); after an incident, contractors will be required to provide full access to their IT systems to CISA employees. and federal law enforcement agencies.
The proposals were developed by the US Department of Defense, the General Services Administration and NASA in response to the cybersecurity threats facing the US. Incidents involving products such as SolarWinds, Microsoft Exchange, and Colonial Pipeline highlight the vulnerability of both public and private sectors to complex cyber threats.
The proposed changes quickly caused discontent in the industry. For example, the Cloud Service Providers Advisory Board (CSP-AB) and the Information Technology Council (ITIC) expressed concern that the new rules may be burdensome and disproportionate. In particular, the SBOM requirement and the limited time frame for reporting incidents have drawn criticism for their impracticality and possible negative impact on working with non-federal clients.
Overall, the United States has recently seen a significant increase in the number of rules related to reporting cyber incidents. Moreover, depending on the type of organization and the nature of the incident, the required reporting actions may vary greatly, which makes it difficult for organizations to comply with these rules.
In the context of these discussions, there is a call for a unified, authoritative incident reporting process that is applicable across the federal level and in regulated sectors. This approach would avoid inconsistencies and duplication of efforts for organizations facing cyber threats.
Experts also emphasize the importance of selecting a single coordinating agency that would serve as the central hub for all reports and subsequent investigations of cyber incidents, thereby simplifying the reporting process and increasing its effectiveness.
