Primes and Subs: CISA Needs You (to Act)!

By: Diana Strassmaier, CPA, CCIFP®

As cyber-attacks become more sophisticated and widespread, government agencies are proposing to revise* the Federal Acquisition Regulation (FAR) “to increase the sharing of information about cyber threats and incident information between the Government and information technology and operational technology service providers.”

The proposed rule includes:

  • Revising the definition of information and communication technology to include telecommunications services, electronic media, Internet of Things (IoT), and operational technology.
  • Revising the term “software” to “computer software.”
  • Requiring offerors to certify that they’ve submitted all security incident reports promptly and accurately.
  • Requiring subcontractors to notify the prime contractor/higher-tier subcontractor within eight hours of discovering a security incident.

In short, it indicates “that the compliance with information-sharing and incident-reporting requirements are material to eligibility and payment under Government contracts.” It further stipulates for contractors to:

  • Develop and maintain a software bill of materials for software used in the performance of the contract, irrespective of whether there is a security incident.
  • Cooperate and provide access to information and equipment for the Cybersecurity and Infrastructure Security Agency (CISA) as needed for threat hunting and incident response.
  • Provide full access to applicable contractor information and information systems and personnel to CISA, the FBI, and the contracting agency in response to a security incident reported by the contractor or identified by the government.
  • Report security incidents and take action to support a response. (Agencies acknowledge that contractors operating in certain foreign countries may be subject to laws and regulations that limit what information and access they can provide to the US government.)
  • Immediately investigate the security incident and submit information via the CISA incident reporting portal within eight hours of discovery and provide updates every 72 hours until the investigation or remediation activities are complete.

The proposed revisions seek to comply with Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, which aimed to increase the protection of government networks in the aftermath of the 2019 SolarWinds data breach, the 2021 Microsoft Exchange server data breach, and the 2021 Colonial Pipeline ransomware attack—all of which remind us that we face both malicious nation-state actors and cybercriminals. All three events had, according to a government statement, “insufficient defenses that [left] public and private sector entities more vulnerable to incidents.”

Better Cybersecurity Starts with You

At Aldrich, we recommend that contractors develop a software bill of materials for any software used in performing contracts. Also, make sure you have controls in place to prevent and respond to cyber-attacks, and ensure you have threat detection controls in place, like multi-factor authentication (MFA). Also, make sure you have controls in place to prevent and respond to cyber-attacks and ensure you have threat detection controls in place, like multi-factor authentication (MFA).

We know eight hours is not much time to report after discovering a security incident, and we recommend that you develop and put into action an incident response plan that defines roles within your company and includes steps to resolve, document, and communicate a security incident timely and accurately.

If you have any questions about the proposed rule or how it may impact your business, let’s talk.

*Comments to the proposed rule are due by December 4, 2023. It’s a rare opportunity to provide the FAR Council with input on this specific area, as they often only request comments in general. You may submit comments here.

Meet the Author
Partner

Diana Strassmaier, CPA, CCIFP®

Aldrich CPAs + Advisors LLP

Diana joined the firm in 2018 with almost two decades of experience serving members of various industries including construction, engineering and architecture, manufacturing and distribution, and government contracting. An expert on conducting overhead audits, Diana works closely with government contracting industry clients to offer clarity on how overhead rates work and help them maximize compensation…. Read more Diana Strassmaier, CPA, CCIFP®

Diana's Specialization
  • Indirect cost rate (overhead) audits and consulting
  • Financial audits, reviews and compilations
  • Business and personal tax planning and preparation
  • Certified QuickBooks ProAdvisor
  • Management consulting
  • Compensation analysis
  • Sage Fixed Assets Certified Consultant
Connect with Diana
Diana Strassmaier's headshot in black and white in office space.
Connect with Diana
Share
Generate PDF
Related Articles
team of architects and engineers look at blueprints on a wooden table
Billing and Timekeeping: Guidance and Principles
A hand with a pencil sketching a blueprint for a government contract that must meet FAR compliance.
Proper Use of FAR Overhead Rates Maximizes Cost Recovery on Government Contracts

Looking for support or have a question?

Contact us to speak with one of our advisors.

"*" indicates required fields

Aldrich
Find us near you
Get in touch
Copyright © 2024 Aldrich
Search
All Industries
All Services
About Aldrich Advisors

People

Insights

Contact Us

Make a Payment

Industries
Services
About Us
Resources
Search
Login
Get in touch