The U.S. government’s leading contracting agency plans to formalize how and when contractors are asked to unveil data breaches where the government could mandate better visibility into how solemn those breaches are. According to a regulatory roadmap set to be announced in Friday’s Federal Register noted that the proposed rule will mandate the General Services Administration (GSA) and the agency that is being served by the contract have access to breached contractor systems.
The proposed roadmap stated that contractors will also be required to conserve images of the affected systems for the government to review. The proposed rule is scheduled to be published in next year’s February with a commentary period that closes in April. Though, Contractors have often been a weak point for federal Cybersecurity efforts. For instance, in 2014, two separate contractor breaches exposed to background information check nearly 48,000 and 25,000 government employees respectively. Those breaches were soon dimmed by the huge Office of Personnel Management breach of more background checks on over 20 million current and former federal employees and their families in 2015. In 2011, another similar event happened when the contractor Science Applications International Corp. missed track of health records around 4.9 million military health care beneficiaries when the records were stolen from an employee’s car.
BitSight, a Cybersecurity firm found in a February report that since January 2016, more than 8 percent of health-sector government contractors and 5.6 percent of aerospace and defense contractors had exposed a data breach. The BitSight report further noted that Cybersecurity contractor was frequently lower than federal agency Cybersecurity.
GSA’s proposed rule will also require contractors to reveal any data breach that compromises the confidentiality, integrity, or availability of data or information systems owned or managed on behalf of government agencies. The proposed notice also said that those requirements already exist but have not gone through a formal rulemaking manner and aren’t consistently adhered to. The rule will also draft how the government will use and defend any restrictive information a contractor shares as part of a breach investigation, as per the notice said.