A top White House cybersecurity official says the “conversation is being started” around sweeping new cyber requirements for federal IT contractors.
One rule published in the Federal Register this week includes a provision that would mandate some key contractors report cyber incidents to the government within eight hours. Another aims to standardize cybersecurity requirements for unclassified information systems across government.
The proposals stem from President Joe Biden’s May 2021 cybersecurity executive order. The EO included a major goal to ensure information technology and operational technology contractors share more cybersecurity information with agencies. “These service providers, including cloud service providers, have unique access to and insight into cyber threat and incident information on federal information systems,” the order states.
Chris DeRusha, the federal chief information security officer, said recent cyber incidents helped inform the proposed rules.
“I think the important thing to remember is we put these federal acquisition rules together on the heels of the SolarWinds event and Colonial Pipeline,” DeRusha said in an interview with Federal News Network after speaking at ACT-IAC’s Cybersecurity Summit on Wednesday. “It’s really the U.S. government saying, here’s the things, that based on our experience responding to serious incidents, that have really been missing for us to be able to do our jobs.”
“We understand there are some big changes there,” he added.
The proposed regulations from the Defense Department, General Services Administration and NASA would require information and communications technology contractors to report cyber incidents through the Cybersecurity and Infrastructure Security Agency’s reporting portal “within eight hours of discovery” and provide updates every 72 hours thereafter.
“Recognizing that initial reports may not contain complete information, even incomplete early reports provide the government an important opportunity to limit the extent of damage to its systems and data,” the proposal states.
DeRusha emphasized how the eight-hour reports won’t necessarily contain “full information” about a cyber incident.
“That’s an initial notification that something’s going on, and that allows us to put pieces together and put the threat picture together at the speed that we need to address our adversaries,” DeRusha said. “When we are talking about generative AI, and the increase in the speed of incidents, we have to have the ability here to get information fast, or at least an initial notification.”
Officials hope to get feedback about the feasibility of the eight-hour requirement, the constraints for industry, and the potential costs.
“I think those are all really important feedback points,” DeRusha said.
The rule further proposes a requirement that would allow CISA, the FBI and the contracting agency “full access to applicable contractor information and information systems, and to contractor personnel, in response to a security incident reported by the contractor or a security incident identified by the government.”
And the ICT rule “proposes a new requirement for contractors to develop and maintain a software bill of materials (SBOM) for any software used in the performance of the contract regardless of whether there is any security incident.”
SBOMs are often referred to as software “ingredients lists” that provide an inventory of the libraries, components and metadata associated with a software application.
The proposed rule is seeking feedback on methods for collecting SBOMs from contractors; the “appropriate scope” of the requirements; the challenges with developing an SBOM; and how often an SBOM should be updated to account for changes in the software.
Comments on the proposed regulations released this week are due by Dec. 4.
And DeRusha said there will be further proposals coming out regarding the broader application of SBOM requirements, as well as the reforms to the Federal Risk Authorization and Management Program (FedRAMP) for authorizing cloud services used by the government.
“The conversation is being started in this in these rules that went out for public comment,” DeRusha said. “We’re certainly getting a lot of initial interest in those areas. We expected that.”