If you provide IT services or equipment to the government…
Your logging and reporting requirements are going to increase.
IT service and equipment providers will have several new FAR and DFARS clauses in the coming months, generally related to information sharing and incident response. First, various government agencies will review existing FAR clauses and suggest updates to require service providers to:
- preserve significant data related to cybersecurity event prevention and detection;
- share that data as it relates to potential cybersecurity incidents;
- collaborate with federal investigative agencies in response to potential incidents; and
- share cyberthreat information in industry-recognized formats.
Next, government agencies will review existing FAR clauses and suggest updates that address:
- the types of security incidents that require reporting;
- what information must be included in reports;
- appropriate privacy protections for these reports;
- time periods for reporting (but not more than 72 hours for most serious breaches);
- additional reporting requirements; and
- which contractors need to report breaches.
The EO is attempting to get more information quicker so that the government can respond to problems, and ideally, potential problems faster. The administration recognizes that much of the information necessary resides in the hands of government contractors. The government’s lack of visibility will increase as the government pushes more of its IT infrastructure into the cloud, as discussed below.
It is too early to say definitively what these new clauses will look like, as it will likely take more than a month before proposed language is circulated. However, if post is prologue, look for STIX and TAXII requirements, and a web-based breach reporting portal with certificate requirements.
There will be lots of opportunity for work.
There are significant IT modernization goals in the EO. The EO pushes the government to fully adopt cloud services and move towards Zero Trust Architecture. IT modernization has been a government “priority” for years, but the EO provides more direction. What it does not provide is funding.
Parts of the government have been moving to the cloud for years, but the challenge is perfectly illustrated by DoD’s JEDI contract. IT modernization has been notoriously underfunded for years, and a complete change architecture is an enormous lift.
Service providers who can assist with this transition and cloud providers should have significant opportunities as federal agencies grapple with this transition.