Brandon Vigliarolo reports:
Organizations that sell IT services to Uncle Sam are peeved at proposed changes to procurement rules that would require them to allow US government agencies full access to their systems in the event of a security incident.
The rules were unveiled in a draft update to the Federal Acquisition Regulation (FAR) that refreshes security reporting standards for government contractors in line with President Biden’s 2021 executive order on the topic.
Among the potential incoming requirements are:
- Contractors would have just eight hours to report a detected incident to the Cybersecurity and Infrastructure Security Agency (CISA), which would have to be updated every 72 hours thereafter;
- A software bill of materials (SBOM) would need to be maintained;
- After an incident, contractors would provide “full access” to IT systems and personnel for CISA and federal law enforcement agencies.
Read more at The Register.