The Cybersecurity Coalition, in partnership with the Alliance for Digital Innovation (ADI), submitted comments to the Department of Defense (DOD), General Services Administration (GSA), and National Aeronautics and Space Administration’s (NASA) proposed rules – Case 2021-017 and Case 2021-019 – to update the Federal Acquisition Regulations (FAR). The proposed rules aimed to implement requirements included in Executive Order (E.O.) 14028 On Improving the Nations Cybersecurity.

Case 2021-017 amends the FAR to implement EO provisions related to cybersecurity incident reporting, information sharing, and policies for federal contractors. In our comments, we urged the government to take a separate approach with federal contractors and industry than it takes with federal agencies. Whereas federal agencies face few consequences if they do not meet Federal Information Security Modernization Act (FISMA) requirements, federal contractors and industry can face criminal prosecution if they violate the FAR. Beyond this critique, our comments highlighted the following key concerns:  

• Software Bills of Materials (SBOMs) – In the proposed rule, the government requires federal contractors to develop and maintain SBOMs for software used in the performance of a contract. However, SBOMs, especially those for cloud products and legacy products, are not yet commonplace and require further standardization. Accordingly, we urge the government not to require SBOMs for cloud products. For SBOMs the government does collect, we advocate for technical and legal protections to prevent access to commercial trade secrets.
• Access to Contractor Information and Information Systems – In the proposed rule, the government requires federal contractors to provide CISA, the FBI, and other select federal agencies with “full access” to all systems used in the performance of the contract. However, “full access” has a vague definition in the rule, enabling the government to access systems belonging to the contractor’s non-federal clients or to the contractor itself. We believe that this degree of access is unprecedented and unreasonable and urge the government to remove the provision. Short of that, we urge the government to create safeguards for this process, such as creating an escalations process, establishing specific triggers for when access is permitted, creating an appeals mechanism for federal contractors, limiting data collection, and protecting collected data.
• “Full Access” Compliance Operating in a Foreign Country – We express our concern that the “full access” provision would violate foreign laws, such as the European Union’s General Data Protection regulation (GDPR). Therefore, we recommended that the government specify it can only collect information from systems physically located in the United States. Furthermore, we urge the government to prohibit the collection of personally identifiable information (PII) or other types of sensitive information.
• Security Incident Reporting Harmonization – In the proposed rule, the government creates an eight-hour reporting timeline triggered by the discovery of a security incident -- i.e., indication that an incident may have occurred. We argue that this would increase the compliance burden for federal contractors and increase the number of false positive reports. Instead, we urge the government to require federal contractors to report a cybersecurity incident within “24 hours of the determination that an incident has occurred” and to “update the submission when material changes occur” until remediation activities are completed. We also broadly encourage the Government to harmonize its cybersecurity incident reporting requirements across its regulations, guidelines, and policies.

Case 2021-019 amends the FAR to implement EO provisions standardizing cybersecurity contractual requirements across federal agencies for unclassified Federal Information Systems. Our comments on Case 2021-019 raised the following key concerns:

• Access to Contractor Systems – We highlighted similar concerns as in Case 2021-017.
• Use of Government-Related Data – In the proposed rule, the government prohibits federal contractors from using “government-related data” without expressed consent from the contracting officer. This provision would effectively prevent cloud service providers (CSPs) from using this data to analyze and improve their underlying technology. We argue that the government should rescope the definition of “government-related data” so that CSPs can continue improving the security of their products.
• Indemnification Clauses – In the proposed rule, the government indemnifies its officers, agents, and employees against certain liabilities arising out of the contract. We argue that this is a significant change from the status quo and that it would hold contractors liable even if they are operating within the terms of the contract. We encourage the government to remove the indemnification clauses and instead rely on existing protections in the False Claims Act and existing parts of the FAR.
• Data Localization – The proposed rule requires cloud computing services to store government data on U.S.-based servicers in order to meet FIPS Publication 199 high impact requirements. We argue that this provision goes against the Office of Management and Budget’s (OMB) draft FedRAMP Guidance, which says “FedRAMP should not incentivize or require commercial cloud providers to create separate, dedicated infrastructure for Federal use.” We urge the government to eliminate this provision as well as any references to data localization.

‍