Government , Industry Specific , Standards, Regulations & Compliance
ISACs Slam US Federal Cyber Incident Reporting Proposals
Information-Sharing Groups Call Reporting Requirements 'Too Costly, Overreaching'Multiple organizations acting as a cybersecurity information-sharing gateways between the public and private sectors are decrying as being costly and ineffective a proposed incident reporting measure for vendors selling to the U.S. federal government.
The Food and Agriculture Information Sharing and Analysis Center on Wednesday joined the Information Technology ISAC and IT Sector Coordinating Council in criticizing a proposed cybersecurity amendment to the rules governing how the government buys products and services.
The proposal, unveiled in October, requires federal contractors to immediately investigate potential security incidents, report that information to the Cybersecurity and Infrastructure Security Agency within eight hours of discovery and keep the agency updated every 72 hours.
The federal government estimates the proposed rule will affect three of every four contracts in which the government is a contracting party, since its base assumption is that 75% of all acquisitions involve an information and communication technology component.
The proposal closes off loopholes to regulatory compliance by stipulating that it would apply to commercial items and small acquisitions worth less than $250,000 - both of which typically occur under a lightened set of federal mandates.
The proposed rules follow a May 2021 executive order by President Joe Biden that tasks the federal government with implementing incident reporting obligations for federal contractors.
"There are tens of thousands of companies that will be caught up in this regulation, unbeknownst to them," the IT-ISAC wrote, because the proposal would apply to all contracts where ICT is "used or provided." The eight-hour reporting requirement would flow down to subcontractors.
The government estimates that only 4% of affected vendors will actually have to comply with the reporting requirement due to experiencing a cyber incident - and even then, that only smaller percentages will have to provide CISA with additional information, such as forensic data or a damage assessment. But, those numbers are estimates and don't spring from quantifiable data, the proposal states.
The ISACs also take issue with the threshold for reporting, which includes "potential" incidents, calling it "unreasonable, unworkable and inconsistent."
"CISA will be quickly overrun with unverified, outdated indicators, and with hundreds, potentially thousands, of reports each day that an incident 'may' have occurred. None of this will improve cybersecurity," the IT-ISAC wrote. The organization recommends the proposed rule be limited to "actual, confirmed incidents" that affect a contractors' ability "to provide its contractual product or service, and to those that impact government data hosted by the contractor."
The Food and Agriculture ISAC took issue with the provisions flowing down to subcontractors, writing that "many companies are not aware that their product is provided to the federal government." It proposes limiting subcontractor compliance so that it doesn't include "companies without federal contracts" and requiring prime contractors to notify subcontractors about the federal connection.
Both ISACs dislike the eight-hour reporting requirement. The government itself recognized in the proposal preamble that different reporting time frames for cybersecurity reporting already exist, including a 72-hour threshold under regulations still be developed that were mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022. "The products and systems that contractors offer to the federal government may be subject to these and other incident reporting requirements," the proposal states.
The ISACs also called additional provisions included in amendment "equally concerning," including language that would enable government-appointed third parties to have "unlimited access" to a contractor's systems or employees in the event of a reported cyber incident.
Contractors would also be required to grant CISA, the FBI and the contracting agency "full access" to personnel, information systems and any applicable contractor information, including physical and electronic access to networks, systems, accounts and other infrastructure, according to the proposal.