Primes and Subs: CISA Needs You (to Act)!

As cyber-attacks become more sophisticated and widespread, government agencies are proposing to revise* the Federal Acquisition Regulation (FAR) “to increase the sharing of information about cyber threats and incident information between the Government and information technology and operational technology service providers.”

The proposed rule includes:

• Revising the definition of information and communication technology to include telecommunications services, electronic media, Internet of Things (IoT), and operational technology.
• Revising the term “software” to “computer software.”
• Requiring offerors to certify that they’ve submitted all security incident reports promptly and accurately.
• Requiring subcontractors to notify the prime contractor/higher-tier subcontractor within eight hours of discovering a security incident.

In short, it indicates “that the compliance with information-sharing and incident-reporting requirements are material to eligibility and payment under Government contracts.” It further stipulates for contractors to:

• Develop and maintain a software bill of materials for software used in the performance of the contract, irrespective of whether there is a security incident.
• Cooperate and provide access to information and equipment for the Cybersecurity and Infrastructure Security Agency (CISA) as needed for threat hunting and incident response.
• Provide full access to applicable contractor information and information systems and personnel to CISA, the FBI, and the contracting agency in response to a security incident reported by the contractor or identified by the government.
• Report security incidents and take action to support a response. (Agencies acknowledge that contractors operating in certain foreign countries may be subject to laws and regulations that limit what information and access they can provide to the US government.)
• Immediately investigate the security incident and submit information via the CISA incident reporting portal within eight hours of discovery and provide updates every 72 hours until the investigation or remediation activities are complete.

The proposed revisions seek to comply with Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, which aimed to increase the protection of government networks in the aftermath of the 2019 SolarWinds data breach, the 2021 Microsoft Exchange server data breach, and the 2021 Colonial Pipeline ransomware attack—all of which remind us that we face both malicious nation-state actors and cybercriminals. All three events had, according to a government statement, “insufficient defenses that [left] public and private sector entities more vulnerable to incidents.”

At Aldrich, we recommend that contractors develop a software bill of materials for any software used in performing contracts. Also, make sure you have controls in place to prevent and respond to cyber-attacks, and ensure you have threat detection controls in place, like multi-factor authentication (MFA). Also, make sure you have controls in place to prevent and respond to cyber-attacks and ensure you have threat detection controls in place, like multi-factor authentication (MFA).

We know eight hours is not much time to report after discovering a security incident, and we recommend that you develop and put into action an incident response plan that defines roles within your company and includes steps to resolve, document, and communicate a security incident timely and accurately.

If you have any questions about the proposed rule or how it may impact your business, let’s talk.

*Comments to the proposed rule are due by December 4, 2023. It’s a rare opportunity to provide the FAR Council with input on this specific area, as they often only request comments in general. You may submit comments here.