The rules applicable to U.S. government IT contractors and suppliers as part of the Federal Acquisition Regulations (FAR) are under review due to a growing number of new and existing threats.
Draft changes proposed to the FAR would require contractors to disclose detected incidents to the Cybersecurity and Infrastructure Agency (CISA) within eight hours, with updates every 72 hours, and provide full access to all IT systems and employees. need to be provided.
U.S. government contractors and suppliers are not happy with the proposed changes because they would effectively give federal authorities the keys to the network and hamper their ability to operate.
Many organizations representing IT and cloud industry leaders submitted numerous responses to the draft, and the comment period was extended for an additional two months.
These responses criticize the inefficiency and potential bureaucracy of forcing these guidelines on companies, and HackerOne says that providing complete access to federal authorities could result in the data of non-federal customers being compromised. I pointed out that it is possible.
As a result, HackerOne said, “Non-federal customers may be reluctant to continue working with federal contractors, and federal contractors may have to choose between selling to non-federal customers and selling to the government.” “We may be forced to do so,” he said.
The Information Technology Industry Council (ITIC), which represents major technology companies such as Apple, Samsung and Microsoft, criticized the mandatory disclosure deadline as “unduly burdensome” and said the 72-hour update frequency “changes throughout the incident response. “It does not reflect the urgency to do so.” ”
Dr. Ilya Korochenko, CEO and chief architect of ImmuniWeb and adjunct professor of cybersecurity and cyber law at Capital Technology University, commented in an interview with TechRadar Pro: The basic concept of accelerating and enhancing incident response makes perfect sense, but it seems abstracted from the production environment.
“For example, it is highly unlikely that CISA will have enough resources to review an avalanche of data breach submissions within a novel eight-hour deadline. Reports will pile up and CISA analysts will be driven insane by the unbearable workload. Likewise, will DFIR experts have enough time to conduct their investigations? It may also be a good idea to access the compromised company, provided that:
“Furthermore, as a national collector of valuable cyber intelligence, CISA will be a top target for sophisticated state-sponsored cybercriminals. Therefore, CISA and all other federal agencies will Unless we have confidence that we can adequately address the volume of information and investigate and prosecute the most important security incidents in a timely manner, this amendment will instead cause greater confusion and weaken our national cybersecurity. there is a possibility.”