The Biden administration has proposed new requirements for federal contractors [3], including the Department of Defense [3], NASA [3], and the General Services Administration [3]. These requirements aim to enhance incident response and cybersecurity by implementing a software bill of materials (SBOM) and establishing cybersecurity policies and requirements for contractors maintaining Federal Information Systems (FIS).
Description
The proposed requirements involve the development and maintenance of a software bill of materials (SBOM) for any software used in federal contracts. The SBOM is an electronically readable format that provides an inventory of all components in a piece of software [2], including hierarchical relationships [3]. This proposal aims to enhance incident response and cybersecurity, as outlined in an executive order signed by President Joe Biden [2].
In addition to the SBOM requirement, federal contractors would also need to cooperate with and provide access to CISA engagement services for threat hunting and incident response [1]. Contractors must provide full access to their information systems and personnel to CISA [1], the FBI [1], and the contracting agency in the event of a security incident. Contractors operating in foreign countries may have additional reporting and support requirements [1].
The proposed rule also includes cybersecurity policies and requirements for contractors maintaining Federal Information Systems (FIS) [1]. Contractors must categorize the FIS based on FIPS 199 Impact Level and implement corresponding security and privacy controls [1]. They must also conduct annual cyber threat hunting and vulnerability assessments [1], as well as independent security assessments [1]. Additional security and privacy controls will be specified by agencies based on NIST guidelines [1].
These proposed rules apply to both non-cloud and cloud computing services [1]. Contractors using non-cloud services must provide timely access to government data and conduct assessments [1]. Contractors using cloud services must identify the FIPS 199 impact level and FedRAMP authorization level for each service [1], implement and maintain security controls [1], and ensure proper disposal of government data [1].
While the concept of SBOM has gained support from the industry [2], there is a desire for uniform standards to avoid creating multiple versions of the same document [2]. The government is currently seeking input on the proposed rules [3], although there are challenges in aligning SBOMs with the criteria defined by the National Telecommunications and Information Administration [3]. Additionally, the industry is urging Congress to hold off on SBOM requirements for defense contractors [3].
Conclusion
The proposed requirements for federal contractors aim to enhance incident response and cybersecurity by implementing a software bill of materials (SBOM) and establishing cybersecurity policies and requirements for contractors maintaining Federal Information Systems (FIS). While there is support for the concept of SBOM, there is a need for uniform standards to avoid duplication [2]. The government is seeking input on the proposed rules [3], but challenges in aligning SBOMs with existing criteria and industry concerns may impact the final implementation. The industry is urging Congress to delay SBOM requirements for defense contractors [3].
References
[1] https://www.crowell.com/en/insights/client-alerts/far-councils-cyber-harvest-new-incident-reporting-and-federal-information-system-requirements-await-government-contractors
[2] https://www.medtechdive.com/news/biden-orders-software-bill-of-materials-to-boost-cybersecurity-advamed-wan/600594/
[3] https://www.infosecurity-magazine.com/news/us-government-proposes-sbom-rules/
