The U.S. General Services Administration (GSA) plans on proposing new laws in the Federal Register next spring for Federal contractors that would put the accountability on contractors to report any cyber incident that potentially compromises systems or information held by the government. According to a regulatory roadmap released last week noted that contractors would need to meet an updated standard to report any cyber incident where the integrity, confidentiality, or availability of information or information systems owned or managed by or on behalf of the U.S. Government is potentially compromised. The roadmap also would build an explicit timeframe to notify the breach.
Currently, contractors are required to report breaches that include PII (Personally Identifiable Information) under the current breach notification policy, GSA Order CIO 9297.2C. That policy did not go through the public comment process and was declared by agency CIO David Shive. The roadmap also stated that by consolidating Cyber incident reporting requirements into the General Services Administration Acquisition Regulation (GSAR), the regulation will provide centralized guidance to assure consistent application of Cybersecurity principles across the organization. The new rules will also comprise additional requirements for PII breach reporting, clarify both GSA’s and ordering agencies’ authority to access contractor systems in the occurrence of a cyber incident, and set up how contractor information will be defended.
According to the roadmap, the new guidance also will require contractors to preserve images of affected systems and ensure contractor employees receive proper training for reporting cyber incidents. The proposed law is set to come in April next year, as well as the comment period closing in June same year, as the roadmap noted.