Five Key Upcoming Changes in Cyber Compliance Legislation and Incident Reporting Procedures for Federal Contractors

The federal government performs regular inspections of food processing plants to make sure there aren’t any rats running around, but soon they could also be conducting cyber hygiene inspections to make sure there aren’t any “virtual” rats running around. New changes are in the works for cybersecurity regulations and incident reporting procedures for federal contractors.

The new compliance guidelines are outlined in President Biden’s recent Executive Order on Improving the Nation’s Cybersecurity, as well as in five new bills that have been introduced to Congress. These changes will be especially significant for businesses that provide services to the federal supply chain or plan to obtain government contracts. In this post, we’ll walk you through the five most important takeaways from the executive order and new, proposed legislation, as well as help you understand what it could mean for your organization.

Five Potential Changes to Cybersecurity Regulations & Incident Reporting Procedures Every Federal Contractor Should Watch

1. A new cyber safety review board and updated NIST regulations.

With several high-profile breaches and ransomware incidents making headlines this year, it was a timely move from the Office of the President to release an executive order with instructions for improving the nation’s cybersecurity. This order calls for the creation of a new Cyber Safety Review Board (detailed in Section 5), which will oversee major cybersecurity incidents, and be comprised of “representatives of the Department of Defense, the Department of Justice, CISA, the NSA, and the FBI, as well as representatives from appropriate private-sector cybersecurity or software suppliers as determined by the Secretary of Homeland Security.” This board will provide the government with an official body in charge of creating and enforcing cyber safety standards and incident reporting procedures.

There will also be updates to the standards used to evaluate IT infrastructure, notably the NIST Cybersecurity Framework, which has served as a voluntary framework for cyber compliance. Upcoming changes will incorporate these standards into the Federal Acquisition Regulation (FAR) for government contractors, so that they will become mandatory prerequisites for contract renewal.

In addition, five new bills have been introduced to congress from the U.S. House Committee on Homeland Security, and have received bipartisan support in the aftermath of the Colonial Pipeline attack. These pieces of legislation propose more stringent cybersecurity regulations on “domains critical to homeland security” and would empower the Cybersecurity and Infrastructure Security Agency (CISA) to assist in their implementation.

2. Proposed: new incident reporting procedures.

Among the guidelines proposed in the executive order and the laws mentioned above are new cyber incident reporting procedures. All service providers in the government supply chain will be required to promptly report cyber incidents to a contracting officer and to CISA.  Contractors will also be required to report ransom payments to hacking groups, but payments made to federally sanctioned entities could come with legal repercussions. CISA will be responsible for aggregating and analyzing reports across government agencies and determining risks from the private sector.

These changes will affect oil pipeline owners in particular. Interestingly, the Transportation Security Administration (TSA) oversees pipeline operation in the United States, and the agency has also made changes in the wake of the Colonial Pipeline attack. According to The Washington Post, “the TSA’s new security directive will require pipeline companies to report cyber incidents to TSA and CISA and to have a cyber official — such as a chief information security officer — with a 24/7 direct line to TSA and CISA to report an attack. It will also require companies to assess the security of their systems as measured against existing cyber guidelines; fixing any gaps is currently voluntary.” Now, companies will be required to resolve any vulnerabilities identified. These incident reporting procedures could eventually be expanded to other types of utility companies as well.

3. Inspections and compliance are no longer voluntary.

Though cyber compliance guidelines like the NIST framework have existed for some time, they have only been implemented by companies on a voluntary basis. The Verge also reports that previously, “companies were free to decline inspections of their systems by the TSA.” This will no longer be the case.

Governmental agencies and private companies required to follow the new cyber safety requirements will be subject to inspections by the newly created Cyber Safety Review Board, and/or another agency such as CISA or the TSA. A violation of requirements listed in the FAR will be considered a breach of contract. Though there have been no precedents set yet, there could be fines or legal repercussions for any violations, and contractors could have their contracts revoked.

To avoid the costly consequences of a breach, companies will need to have advance preparation for these inspections and follow all cyber incident reporting procedures.  A cybersecurity firm like LMG Security can help get your business ready with advisory and compliance services.

4. Requirements must be met in the federal supply chain and by government contractors.

After the SolarWinds hack exposed the impact that the breach of a service provider could have on federal networks, it became clear that vulnerabilities in the federal supply chain pose major risks to governmental cybersecurity. This sentiment was echoed in Section 4 of the recent executive order, which states: “The security and integrity of ‘critical software’ — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) — is a particular concern.”  In this section of the order, it is made clear that all vendors in the government’s software supply chain must meet the same compliance standards and incident reporting procedures as the federal agencies they serve.

For the time being, this appears to be limited to “critical software”, but this definition could be challenged to include critical infrastructure and services needed to keep the federal government running. Government offices rely on a dependable power and utility supply, and federal employees require a host of software platforms to do their jobs.  If any service in the supply chain is unavailable due to a ransomware attack or other breach, then it could be considered a matter of national security.

5. State governments may add additional requirements.

In addition to federal regulations, state governments are also encouraged to add their own requirements. This year alone, 45 states have introduced over 250 bills dealing with cybersecurity. These proposed laws range from increased standards and training requirements to the creation of task forces and enforcement bodies. Businesses that provide IT services for specific state governments or to the general public should take care to review any locality-specific obligations and incident reporting procedures. California, in particular, is expected to take a more regulatory-heavy stance than other states, given a past history of approving data protection laws such as the California Consumer Privacy Act (CCPA).

Ultimately, a hodgepodge of state-level regulations will be hard for businesses to follow, and weakness in cyber legislation at the federal level will cause states to continue to act on their own.  Therefore, it so it is a good sign that the federal government is moving to create more universal standards, and we can hope that lawmakers will continue to improve and consolidate cyber regulations for the benefit of the companies tasked with following them.

What Does This Mean for Your Organization?

If you are a federal contractor, it will be some time before these new regulations go into effect. However, it’s best to not wait until the inspectors are knocking on your door to start thinking about making changes to improve your security. If your company is in the federal supply chain or plans on obtaining government contracts in the future, you need to make plans to secure your IT infrastructure and eliminate any cyber rats crawling around your network. An experienced cybersecurity firm can provide the guidance you need to develop incident reporting procedures, perform technical testing, and ensure that your plans are federally compliant.

LMG Security has been helping organizations prepare for the challenges of data security, privacy challenges, and changing law and regulations for 12 years. Contact us if you need help.