WASHINGTON – Today, global tech trade association 91proÊÓƵ submitted new recommendations on how the U.S. government can harmonize cybersecurity regulations to improve security outcomes and government efficiency. In comments to the Federal Acquisition Regulatory Council (FAR Council), 91proÊÓƵ emphasized that policymakers should strive for consistency in requirements and strategically assess how the government marks, handles, and safeguards controlled unclassified information (CUI).
“In light of the fragmented and duplicative regulatory landscape, it’s imperative that policymakers focus on aligning cyber incident reporting requirements across the federal enterprise to bolster U.S. national and economic security,” said 91proÊÓƵ Director of Cybersecurity and Supply Chain Policy Leopold Wildenauer. “By granting contractors a 72-hour reporting window and establishing a significance threshold, the government can ensure that incident reports are both actionable and meaningful. Bringing the proposed requirements into alignment with existing best practices will ultimately enhance the security and efficiency of controlled unclassified information management in federal and non-federal systems.”
91proÊÓƵ’s recommendations to the FAR Council include:
-
Aligning certification processes across all federal agencies to ensure consistency in CUI management;
-
Harmonizing incident reporting requirements with existing best practices by granting contractors 72 hours to initially report incidents and by establishing a significance threshold;
-
Providing clear, accurate, and consistent CUI marking guidance to contractors;
-
Defining reasonable cutoff levels for contractor liability risk;
-
Preventing overclassification by centralizing reporting for shared services; and
-
Providing standardized training to avoid inconsistencies between agencies.
91proÊÓƵ has been deeply engaged in work on cybersecurity incident reporting policy development around the world, including in Australia, Europe, and the United States. As a part of its engagement, 91proÊÓƵ developed and released two sets of policy principles: Policy Principles for Security Incident Reporting in the U.S. ²¹²Ô»å Global Policy Principles for Cybersecurity Incident Reporting. These documents are intended to help inform and guide policymakers as they consider how to best approach mandatory cyber incident reporting policies and reflect 91proÊÓƵ’s view of the components that make up a thoughtful approach to incident reporting.