Stronger cyber reporting rules for federal contractors criticized

Several industry organizations have derided additional burdens presented by proposed changes to the Federal Acquisition Regulation that would mandate cyber incident disclosures to the Cybersecurity and Infrastructure Security Agency within an eight-hour window, as well as require a software bill of materials, and complete IT systems and personnel access following an incident, according to The Register. With SBOMs being continuously updated, cloud service providers should not be required to submit them, noted the Cloud Service Providers Advisory Board. Moreover, such proposed updates were regarded by the Information Technology Industry Council to clash with the Securities and Exchange Commission's rules, as well as the Cybersecurity and Infrastructure Security Agency's regulations under the Cyber Incident Reporting for Critical Infrastructure Act. Meanwhile, HackerOne said that requiring federal law enforcement access to compromised contractor systems could result in inadvertent data exposure. "Non-federal customers may be reluctant to continue working with federal contractors, potentially forcing federal contractors to choose between selling to non-federal customers or the government," said HackerOne.