Industry groups push back on cyber incident rules requiring “full access”

Proposed cybersecurity rules that would grant the government “full access” to contractor IT systems in the wake of a cyber incident is causing heartburn among industry groups.

The groups are also objecting to the tight cyber incident reporting deadline in proposed cyber rules. They also oppose requirements to use Software Bills of Material (SBOMs).

Agencies released the two proposed cybersecurity rules for information and communications technology (ICT) contractors last fall. The deadline to respond to both rules was Feb. 2.

The proposed rules would, among other things, grant the Cybersecurity and Infrastructure Security Agency, the FBI and the contracting agency “full access to applicable contractor information and information systems, and to contractor personnel, in response to a security incident reported by the contractor or a security incident identified by the government.”

In a joint letter, the Cybersecurity Coalition and the Alliance for Digital Innovation (ADI) argued the “full access” provision in the rules should be removed.

Grant Schneider, senior advisor to ADI, said the proposal would create a “very unbounded type of access” that could raise privacy concerns.

“I don’t think there should be a provision for full access,” Schneider said. “That said, if the government absolutely feels that they need to have that as an option, then I think there’s a number of things that they could put in place.”

ADI and the Cybersecurity Coalition recommended several stipulations to the provision. They argued agencies should only be granted full access if a contractor is not cooperating with an investigation into a cyber incident.

The groups also said there should be an appeals process so contractors can object to “unnecessary” access to systems.

“Just some checks and balances, so we’re doing this in a collaborative manner, we’re taking a risk management approach to cybersecurity, both for the government and for the contractor,” Schneider said.

BSA The Software Alliance also recommended removing the “full access” provisions in the rules. Henry Young, BSA’s senior director for policy, argued the provision would “undercut privacy and security protections.”

“Typically, before law enforcement would get access to private information there would be process or consent,” Young said. “And what this suggests is that maybe those protections would no longer be enforced. So it’s a sea change in how these parties interact.

Stephanie Kostro, vice president for policy at the Professional Services Council, also said PSC’s members have also raised issues about the “full access” proposal.

“We’re also talking a bit about protection of what is called government data or government related data,” Kostro said on The Federal Drive with Tom Temin. “A lot of companies have trade secrets, have pricing models, have sensitive information on their systems. And one of the rules does go in to say, ‘if it is on a system that performs government work, that is government related data.’ That’s an issue in terms of intellectual property, and it’s an issue in terms of privacy.”

Cyber incident reporting and SBOMs

The rules would also require ICT contractors to report potential cyber incidents to the government within eight hours. “Recognizing that initial reports may not contain complete information, even incomplete early reports provide the government an important opportunity to limit the extent of damage to its systems and data,” the proposed rule states.

The industry groups are also urging agencies to modify that requirement. They say the types of incidents and the timeline for reporting should align with the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). That law requires a 72-hour reporting timeframe. CISA is expected to issue those rules later this spring.

“When you throw in a different set of reporting requirements, it really just makes the entire process more cumbersome,” Young said. “I would say the most important thing is we just do things in an orderly manner. And it will be much more efficient if we do it that way.

The groups are also pushing back against requirements in the rules for ICT contractors to maintain SBOMs. Young said the government shouldn’t mandate the use of SBOMs until CISA and stakeholders make more progress on efforts to develop and standardize the software ingredients lists.

“We support SBOMs, and I believe they will be required in the coming years,” Young said. “But requiring them now, before industry and government have completed the work that CISA is leading, seems to be out of order.”

‘Markers in the sand’

The proposed cyber rules are motivated by recent cyber incidents, according to Chris DeRusha, the federal chief information security officer.

“I think the important thing to remember is we put these federal acquisition rules together on the heels of the SolarWinds event and Colonial Pipeline,” DeRusha told Federal News Network in October, shortly after agencies published the proposed rules. “It’s really the U.S. government saying, ‘Here’s the things, that based on our experience responding to serious incidents, that have really been missing for us to be able to do our jobs.’”

Schneider, the former federal CISO, said he believes the rules are the government’s “opening negotiation point” in setting critical cyber requirements for contractors.

“I think they’re putting some markers in the sand,” Schneider said. “I personally will be very surprised if we don’t see some movement to a little more of a compromise on some of these areas.”

Agencies will now have to take into account the feedback they received on the proposed rules before issuing final regulations.

“There’s a question of whether they try to get this done before the election or before the end of the calendar year,” Schneider said. “But I think that would be a pretty heavy lift to just given the substance and the size of what was in these rules.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.