Organizations that sell IT services to Uncle Sam are peeved at proposed changes to procurement rules that would require them to allow US government agencies full access to their systems in the event of a security incident.
The rules were unveiled in a draft update to the Federal Acquisition Regulation that refreshes security reporting standards for government contractors in line with President Biden's 2021 executive order on the topic.
While you'd think rules to improve government security would be welcomed, industry respondents aren't happy.
Even though they were first proposed in October of last year, the comment period on the FAR reporting requirements has ended after being extended for two months.
With more than 80 responses, it's clear many stakeholders wanted to have their say - and all the aforementioned provisions were questioned.
There's room to debate some of the complaints raised by commenters, but one thing's for certain: Uncle Sam's cyber incident reporting rules are growing in number - and each set of regulations is different.
The Federal Trade Commission followed suit in the fall with its own incident reporting rule, giving non-banking financial organizations 30 days to inform the commission of a successful break-in of their systems.
Due next month, CIRCIA will give companies in critical infrastructure sectors three days to report an incident.
Congressional representatives have expressed discontent with the SEC's reporting rules and introduced a bill to kill its reporting requirement - citing too short a deadline and the fact that incident reporting should fall under CISA's purview.
The proposed FAR updates, as mentioned, give a mere eight hours.
We've asked NASA, the GSA, and DoD for comment, and have not received a response at the time of publication.
This Cyber News was published on go.theregister.com. Publication date: Thu, 08 Feb 2024 00:43:04 +0000