At a glance.
- CMMC issues.
- CISA's forthcoming incident reporting rules.
- US FTC blogs policy.
Small US Government contractors struggle with the CMMC.
README discusses the US Cybersecurity Maturity Model Certification program (CMMC), and the challenges it poses for small defense contractors. The program means that approximately 80,000 companies that sell to the US military will need to pass a cybersecurity audit before they can bid for business, and many are not prepared for the red tape and steep costs the complying with CMMC will likely involve. Michael Dunbar, president of a small fuel and lubricant company that works with the DOD, said of the new requirements, “We were going to have to be compliant with this stuff, but they just kept using all these different acronyms, and I had no idea what anything meant.”
At first stalled by a flurry of criticism from industry advocates who felt the program was unnecessarily complicated and restrictive, the CMMC was overhauled by the Biden administration at the end of 2021. Under CMMC 2.0, about the majority of defense contractors, will be defined as being in “CMMC level one,” where the only requirement will be a self-assessment. However, even a self-assessment is likely to be too overwhelming for smaller subcontractors like Dunbar who are ill-equipped to navigate the level of cybersecurity knowledge the CMMC requires. And for level two firms, the cost of required compliance assessments could be crippling.
What to expect from CISA’s incident reporting rules.
When the US Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March, the Cybersecurity & Infrastructure Security Agency (CISA) was given two years to develop the proposed rules. While CISA has not yet finalized CIRCIA, on April 7 the agency provided stakeholders with guidance about cyberincident reporting, and JDSupra offers an overview of CISA’s priorities. The guidance outlines what to share, who should share, and how to share information about unusual cyberactivities. CISA has three mechanisms for sharing cyber event information: completing an incident report form in the CISA Incident Reporting System, emailing Reports@cisa.gov, or sending details about phishing operations to Phishing-report@us-cert.gov. Though CISA has two years to finalize the rules, it is anticipated that they will issue additional guidance in an NRPM in advance of that date.
Informal breach reporting guidance from the FTC.
Staying on the topic of incident reporting requirements, last week the Federal Trade Commission’s (FTC) Team CTO and the Division of Privacy and Identity Protection published a blog post stressing the importance of breach disclosures. Despite the fact that there is currently no section of the Federal Trade Commission Act that imposes an EXPRESS data breach notification requirement, the FTC indicates that in some cases there could be a de facto data breach notification requirement, and encourages businesses to take this into account when designing their incident response plans. In fact, the post states, "Regardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act." As the National Law Review explains, the post goes on to describe recent real-life incidents in which reporting failures were deemed unfair or deceptive trade practice and led to enforcement actions.