CISA releases proposed rule for mandatory reporting of cyber incidents by Critical Infrastructure and State, Local, Territorial Governments.
To my understanding, this will affect all DoD contractors with DFARS 252.204-7012 in their contracts, as well as most Federal Contractors.
For example, despite small businesses being given an exclusion, any business that “Owns or operates critical manufacturing sector infrastructure” or “Provides operationally critical support to the Department of Defense or processes, stores, or transmits covered defense information” is in-scope, no matter their size.
CISA 6 CFR Part 226
Here is the link to the proposed CISA rule (447 pages) for your review.
CISA rule an escalation in force against contractors?
One fun snippet of the draft rule, page 435:
§ 226.14 𝐑𝐞𝐪𝐮𝐞𝐬𝐭 𝐟𝐨𝐫 𝐢𝐧𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧 𝐚𝐧𝐝 𝐬𝐮𝐛𝐩𝐨𝐞𝐧𝐚 𝐩𝐫𝐨𝐜𝐞𝐝𝐮𝐫𝐞𝐬.
(a) In general. This section applies to covered entities…
…
(c) Request for information–(1) Issuance of request. The Director may issue a request for information to a covered entity if there is reason to believe that the entity experienced a covered cyber incident or made a ransom payment but failed to report the incident or payment in accordance with § 226.3. Reason to believe that a covered entity failed to submit a CIRCIA Report in accordance with § 226.3 may be based upon public reporting or other information in possession of the Federal Government, which includes but is not limited to analysis performed by CISA. A request for information will be served on a covered entity…
…
(3) Response to request for information. A covered entity must reply in the manner and format, and by the deadline, specified by the Director. If the covered entity does not respond by the date specified in paragraph (c)(2)(iv) of this section or the Director determines that the covered entity’s response is inadequate, the Director, in his or her discretion, may request additional information from the covered entity to confirm whether a covered cyber incident or ransom payment occurred, or the Director may issue a subpoena to compel information from the covered entity pursuant to paragraph (d) of this section.
This is a major escalation in how forceful the U.S. Government can be toward contractors that suffer a cyber incident.
Does CISA intend to punish contractors for being breached?
I haven’t read all 447 pages, but I believe the intention is around getting information, not punishing the contractors for being breached.
However, if a contractor has a different requirement to be cyber-secure (like DFARS 252.204-7012), and the required reporting shows that the contractor didn’t follow their contract, I expect CISA would share that info with the government contract officer (KO). Triggering Ye Olde “False Claims Act” again.
Cyber-attacks against the US are increasing
I can see why the Federal Government, via CISA, are doing this. We’re seeing the news of large and small companies crippled by ransomware. Just in the last month, a huge medical insurance provider (United Healthcare) was and is still impacted by a cyber-attack. There are reports that water infrastructure in the USA is being targeted. If we don’t repel these attacks, we risk entire regions losing access to safe water, power, and services at the time of our attacker’s choosing.
The intention is to protect our country as a whole by enabling CISA to correlate and respond.
Are our contractors ready to comply though?
Amira Armond is the founder and Quality Manager for Kieri Solutions, an Authorized C3PAO. Kieri Solutions provides CMMC preparation and Authorized C3PAO assessment services. Check their services out at https://www.kieri.com