TIA appreciates OMB's effort to develop guidance for contractor reporting of cyber incidents. In order to ensure that "reporting will promote timely and meaningful information sharing that allows both the contractor and the agency to work closely together to investigate the incident, identify affected individuals, quickly respond to the incident and take other appropriate actions as necessary," TIA urges OMB to ensure that it minimizes the burdens on contractors by ensuring a simplified and clear reporting procedure. In the Cyber Incident Reporting section, we recommend that OMB specifically recommend in its guidance that agencies shall make efforts to create straightforward and clear guidance on cyber incident reporting.
Incident reporting should not include “potentially adverse effects.” This is far too broad and not risk-based. It will result in over-reporting. It will divert resources from responding to events that cause actual harm without yielding significant security benefits. TIA urges OMB to eliminate “or potentially adverse effects” from the first paragraph of the Cyber Incident Reporting section.
The section on contract language requires inclusion of “Specific government remedies if a contractor fails to report according to the agreed upon contractual language.” Any such remedies should be defined by law or regulation, be proportionate to the actual harm suffered by the relevant agency, and take into account whether notification was briefly delayed, delayed by weeks or months, or never provided. TIA urges OMB to include that “…specific government remedies if a contractor fails to report according to the agreed upon contractual language” may be defined by law or regulation, should be proportionate to the actual harm suffered by the relevant agency, and should take into account whether notification was briefly delayed, delayed by weeks or months, or never provided.
At the end of the section, it states that contractors “shall” report incidents not only to the SOC, but also to four other officials. Contractor reports should be made only to the SOC, which should then report to other agency officials. SOC personnel are in a better position to identify the current officials and provide notification in the most secure manner. TIA urges OMB to eliminate the proposed requirement on contractors to report incidents to officials other than the SOC.
TIA appreciates OMB's effort to develop guidance for contractor reporting of cyber incidents. In order to ensure that "reporting will promote timely and meaningful information sharing that allows both the contractor and the agency to work closely together to investigate the incident, identify affected individuals, quickly respond to the incident and take other appropriate actions as necessary," TIA urges OMB to ensure that it minimizes the burdens on contractors by ensuring a simplified and clear reporting procedure. In the Cyber Incident Reporting section, we recommend that OMB specifically recommend in its guidance that agencies shall make efforts to create straightforward and clear guidance on cyber incident reporting.
Incident reporting should not include “potentially adverse effects.” This is far too broad and not risk-based. It will result in over-reporting. It will divert resources from responding to events that cause actual harm without yielding significant security benefits. TIA urges OMB to eliminate “or potentially adverse effects” from the first paragraph of the Cyber Incident Reporting section.
The section on contract language requires inclusion of “Specific government remedies if a contractor fails to report according to the agreed upon contractual language.” Any such remedies should be defined by law or regulation, be proportionate to the actual harm suffered by the relevant agency, and take into account whether notification was briefly delayed, delayed by weeks or months, or never provided. TIA urges OMB to include that “…specific government remedies if a contractor fails to report according to the agreed upon contractual language” may be defined by law or regulation, should be proportionate to the actual harm suffered by the relevant agency, and should take into account whether notification was briefly delayed, delayed by weeks or months, or never provided.
At the end of the section, it states that contractors “shall” report incidents not only to the SOC, but also to four other officials. Contractor reports should be made only to the SOC, which should then report to other agency officials. SOC personnel are in a better position to identify the current officials and provide notification in the most secure manner. TIA urges OMB to eliminate the proposed requirement on contractors to report incidents to officials other than the SOC.