The Biden administration has proposed new requirements for federal contractors , including the Department of Defense , NASA , and the General Services Administration . These requirements aim to enhance incident response and cybersecurity by implementing a software bill of materials (SBOM) and establishing cybersecurity policies and requirements for contractors maintaining Federal Information Systems (FIS).
The proposed requirements involve the development and maintenance of a software bill of materials (SBOM) for any software used in federal contracts. The SBOM is an electronically readable format that provides an inventory of all components in a piece of software , including hierarchical relationships . This proposal aims to enhance incident response and cybersecurity, as outlined in an executive order signed by President Joe Biden .
In addition to the SBOM requirement, federal contractors would also need to cooperate with and provide access to CISA engagement services for threat hunting and incident response . Contractors must provide full access to their information systems and personnel to CISA , the FBI , and the contracting agency in the event of a security incident. Contractors operating in foreign countries may have additional reporting and support requirements .
The proposed rule also includes cybersecurity policies and requirements for contractors maintaining Federal Information Systems (FIS) . Contractors must categorize the FIS based on FIPS 199 Impact Level and implement corresponding security and privacy controls . They must also conduct annual cyber threat hunting and vulnerability assessments , as well as independent security assessments . Additional security and privacy controls will be specified by agencies based on NIST guidelines .
These proposed rules apply to both non-cloud and cloud computing services . Contractors using non-cloud services must provide timely access to government data and conduct assessments . Contractors using cloud services must identify the FIPS 199 impact level and FedRAMP authorization level for each service , implement and maintain security controls , and ensure proper disposal of government data .
While the concept of SBOM has gained support from the industry , there is a desire for uniform standards to avoid creating multiple versions of the same document . The government is currently seeking input on the proposed rules , although there are challenges in aligning SBOMs with the criteria defined by the National Telecommunications and Information Administration . Additionally, the industry is urging Congress to hold off on SBOM requirements for defense contractors .
The proposed requirements for federal contractors aim to enhance incident response and cybersecurity by implementing a software bill of materials (SBOM) and establishing cybersecurity policies and requirements for contractors maintaining Federal Information Systems (FIS). While there is support for the concept of SBOM, there is a need for uniform standards to avoid duplication . The government is seeking input on the proposed rules , but challenges in aligning SBOMs with existing criteria and industry concerns may impact the final implementation. The industry is urging Congress to delay SBOM requirements for defense contractors .