In November 2018, U.S. General Services Administration (GSA) published its intent to enact a new rule on the reporting of data breaches. GSA is the U.S. government’s lead contracting agency. GSA also manages many government-wide IT security programs, like FedRAMP and cloud.gov.
The proposed rule will ensure that GSA, plus the agency customer, will have access to the breached system. Government contractors will have to provide access to the system and take steps to preserve digital evidence. The government’s role in handling the contractor’s proprietary information will also be addressed.
The proposed rule is scheduled to be published in the Federal Register in February 2019.
Full text of Abstract from the Introduction to the Unified Agenda of Federal Regulatory and Deregulatory Actions-Fall 2018 (published 11/16/2018 in the Federal Register):
The General Services Administration (GSA) is proposing to amend the General Services Administration Acquisition Regulation (GSAR) to provide requirements for GSA contractors to report cyber incidents that could potentially affect GSA or its customer agencies. The rule integrates the existing cyber incident reporting policy within GSA Order CIO 9297.2C, GSA Information Breach Notification Policy that did not previously go through the rulemaking process into the GSAR. By incorporating cyber incident reporting requirements into the GSAR, the GSAR will provide centralized guidance to ensure consistent application of cybersecurity principles across the organization. Integrating these requirements into the GSAR will also allow industry to provide public comments through the rulemaking process.
The rule outlines the roles and responsibilities of the GSA contracting officer, contractors, and agencies ordering off of GSA’s contracts in the reporting of a cyber incident. The rule establishes a contractor’s responsibility to report any cyber incident where the confidentiality, integrity, or availability of GSA information or information systems are potentially compromised or where the confidentiality, integrity, or availability of information or information systems owned or managed by or on behalf of the U.S. Government is potentially compromised.
It establishes an explicit time-frame for reporting cyber incidents, details the required elements of a cyber incident report, and provides the required Government’s points of contact for submitting the cyber incident report.
The rule also outlines additional contractor requirements that may apply for any cyber incidents involving personally identifiable information. In addition, the rule clarifies both GSA’s and ordering agencies’ authority to access contractor systems in the event of a cyber incident. It also establishes the role of GSA in the cyber incident reporting process and explains how the primary response agency for a cyber incident is determined. Further, it establishes the requirement for contractors to preserve images of affected systems and ensure contractor employees receive appropriate training for reporting cyber incidents. The rule also outlines how contractor attribution/proprietary information provided as part of the cyber incident reporting process will be protected and used.
This is a significant new breach investigation rule to watch and prepare for.