Earlier this year, the Coalition submitted comments on FAR Case 2021-017, “Federal Acquisition Regulation: Cyber Threat and Incident Reporting and Information Sharing.” That process presented an opportunity to address the procedural substance of incident reporting, as well as the challenges the stakeholder community faces as multiple regimes addressing various aspects of cybersecurity are implemented.
Specifically, in recent comments submitted on behalf of Coalition members, we pointed out that stakeholders have been addressing multiple cyber-related rulemakings, including:
- DoD’s Cybersecurity Maturity Model Certification (CMMC) Program 2.0
- Revisions to NIST 800-171 including Software Bills of Materials
- The implementation of the Federal Risk and Authorization Management Program (FedRAMP)
- Cyber incident reporting generally, and
- Ongoing implementation of Section 889 (regarding the restriction on the use of certain communications and video technologies)
That is a lot of cyber-related regulatory activity. To this point, in addressing one of the provisions of the Cyber Threat and Incident Reporting FAR Case, specifically, the required incident reporting within eight hours of discovering its occurrence, with subsequent updates every 72 hours thereafter, we identified the need for coordination. After noting that short timelines run the risk of inundating the government with false positive reports to make sure compliance obligations are fulfilled, along with the fact that they take away contractor time from efforts to mitigate cyber incidents, we recommended that the government:
…harmonize the proposed rule with the 72-hour reporting requirement established by the DFARS and the CIRCIA [(CISA’s Cybersecurity Incident Reporting for Critical Infrastructure Act)] to afford contractors more time to conduct initial investigations, prepare a preliminary report, and begin remediation efforts. Further, subsequent updates should be required only for material changes.
The Council should also consider exempting cloud service providers (CSPs) that have an existing FedRAMP authorization from the rule’s reporting requirements so long as they comply with FedRAMP’s incident communications procedures.
The government should pursue opportunities to harmonize the requirements and criteria of its cybersecurity rulemakings as much as possible to alleviate unnecessary burdens for both the public and private sectors. Overlapping and/or conflicting rules are not just a manifestation of inefficiency and waste. They prompt confusion and contribute to making the government an inhospitable environment for doing business. The federal government needs the commercial sector to keep up with cutting-edge technology and resulting cybersecurity vulnerabilities. Indeed, a key component of the acquisition reforms put in place at the end of the last century is the appropriate reliance on that sector, as that reliance permits the government to leverage, rather than duplicate, the private sector’s research and innovation expenditures, freeing up government funds for targeted application to mission critical goods and services. Simply put: the harder it is for commercial firms to participate, the lower the number of commercial firms, and their associated solutions, available to the government.
In a recent Breaking Defense opinion piece advocating for DoD and Congress to “walk away” from CMMC, Bill Greenwalt, nonresident senior fellow at the American Enterprise Institute and a former deputy undersecretary of defense for industrial policy, discussed the burden of such compliance costs. He stated:
CMMC’s costs are significant and equate to nearly $4 billion annually over the next two decades. … [I]ncreased costs to industry will inevitably end up coming back to the department in the form of increased prices and what the government pays in reimbursed contractor overhead.
***
For small businesses, exactly the type of company that DoD is looking to attract in its latest industrial base strategy, these costs may prove to be prohibitive as the price to pay to merely bid on a contract. DoD has noted it will cost small businesses over $100,000 to have a third-party certify their compliance with just Level 2 requirements. …
For primarily commercial companies, the issue will be whether the benefits ever justify the costs… The net result will be more decisions to not bid on government contracts, an even smaller and more concentrated defense industrial base, and fewer opportunities for DoD to adopt leading commercial innovation.
Hyperlinked citations omitted.
In our comments on the Cyber Threat and Incident Reporting rule, we expressed our belief that with so many cyber initiatives underway, the government and industry would benefit from opportunities for periodic information exchanges. Based on the foregoing, we continue to believe that such exchanges would facilitate a common understanding of the many compliance obligations involved in identifying and implementing an appropriate cybersecurity regime, including the cost of that regime, and thereby, they would promote the efficient and effective implementation of needed cyber-related rules. To that end, the Coalition is available to facilitate such exchanges.