Open aerospaceindustriesassociation opened 9 years ago
mnighswander
commented
9 years ago Also, recommend including relevant NIST guidance as in other sections, such as and SP 800-83 and SP 800-61, which provide guidelines for incident prevention and handling.
CGWTW
commented
9 years ago Consider the following statement -
Governments and contractors timely and actionable collaboration on relevant cyber incidents is critical to Governments’ & Industries’ situational awareness, defensive mitigations, and continual risk assessment.
in comparison to the proposed memo guidance text -
Timely contractor reporting of all cyber incidents involving the loss of confidentiality, integrity, or availability of data is critical to the Government’s ability to determine appropriate response actions and minimize harm from incidents
why the emphasize on "all" and in generalized terms "data" - protection of CUI is the intended focus of the proposed memo guidance?
Expansion of the cyber incident reporting requirement will prove burdensome. Aerospace & Defense Industry has worked with Govt agencies to establish a single point of entry for reporting incidents and act as the nexus for information exchange between DoD, Government Agencies, and Contractors/Subcontractors. Multiple reporting stream requirements will result in inefficiencies and hinder the response and remediation process overall. Reporting responsibility should be with the company with whom the government agency has a direct contractual relationship. There is concern that subcontractors may leapfrog the contractual company and directly notify the government agency due to confusion on reporting requirements. In an extreme example, tiered subcontractors may potentially exploit the past performance evaluation factor by negatively misrepresenting the security posture of companies within an industry which may result in loss of business.