The rules applied to US government IT contractors and suppliers as part of the Federal Acquisition Regulation (FAR) are under review due to the increasing numbers of new and existing threats.
Under the drafted changes proposed to FAR, contractors would have to disclose detected incidents within eight hours to the Cybersecurity and Infrastructure Agency (CISA) with updates every 72 hours, and provide full access to all IT systems and employees.
Contractors and suppliers to the US government are not happy with the proposed changes, as it would effectively give federal authorities the keys to their networks and hinder their ability to operate.
A number of bodies that represent IT and cloud industry leaders have lodged numerous responses on the proposed draft which had its commenting period extended by an additional two months.
These responses criticized the inefficiencies and potential bureaucracy of enforcing these guidelines upon companies, with HackerOne pointing out that providing total access to federal authorities could expose the data of non-federal customers.
As a result of this, HackerOne stated that “Non-federal customers may be reluctant to continue working with federal contractors, potentially forcing federal contractors to choose between selling to non-federal customers or the government.”
The Information Technology Industry Council (ITIC) which represents tech giants such as Apple, Samsung, and Microsoft, criticized the enforced disclosure deadline as “unduly burdensome” and stating that the 72 hour update frequency “does not reflect the shifting urgency throughout an incident response.”
Talking to TechRadar Pro, Dr Ilia Kolochenko, CEO and Chief Architect at ImmuniWeb and Adjunct Professor of Cybersecurity and Cyber Law at Capital Technology University, commented, “If the proposed amendment comes into force, it will likely bring more troubles than benefits. While the underlying concept of accelerating and solidifying incident response makes perfect sense, it seems to be abstracted from the operational environment.
“For instance, it is highly unlikely that the CISA will have enough personnel to review an avalanche of data breach submissions within the novel eight-hour deadline. Instead, snowballing data breach reports will be piling up, driving CISA’s analysts crazy with the insurmountable volume of work. Likewise, getting access to the breached companies may be a good idea subject to the availability of DFIR experts having enough time to perform investigations.
“Additionally, the CISA, as a nationwide collector of valuable cyber intelligence, will become a high-priority target for sophisticated state-backed cybercriminals. Therefore, unless the CISA and all other federal agencies are confident that they can properly address the new volume of information, as well as timely investigate and then prosecute most important security incidents, this amendment may rather create a huge mess and weaken national cybersecurity.”
More from TechRadar Pro
- Spyware risks are rising fast, and you should definitely be worried — even Google says so
- Take a look at our rankings of the best endpoint protection software
- Boost your network security with the best firewalls
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Benedict Collins is a Staff Writer at TechRadar Pro covering privacy and security. Before settling into journalism he worked as a Livestream Production Manager, covering games in the National Ice Hockey League for 5 years and contributing heavily to the advancement of livestreaming within the league. Benedict is mainly focused on security issues such as phishing, malware, and cyber criminal activity, but he also likes to draw on his knowledge of geopolitics and international relations to understand the motives and consequences of state-sponsored cyber attacks.
He has a MA in Security, Intelligence and Diplomacy, alongside a BA in Politics with Journalism, both from the University of Buckingham. His masters dissertation, titled 'Arms sales as a foreign policy tool,' argues that the export of weapon systems has been an integral part of the diplomatic toolkit used by the US, Russia and China since 1945. Benedict has also written about NATO's role in the era of hybrid warfare, the influence of interest groups on US foreign policy, and how reputational insecurity can contribute to the misuse of intelligence.
Outside of work Ben follows many sports; most notably ice hockey and rugby. When not running or climbing, Ben can most often be found deep in the shrubbery of a pub garden.