The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is exactly what it sounds like: a mandate for reporting. There’s also a cyber reporting rule from the Securities and Exchange Commission already in effect. Is it overkill? Executive Vice President for Policy at the Professional Services Council Stephanie Kostro shared more with the Federal Drive with Tom Temin.
Interview transcript:
Tom Temin
Sounds like contractors are waking up and looking across the landscape at reporting rules. And everywhere you look, there’s another one.
Stephanie Kostro
I have likened to this set of proposed rules and final rules, etc., as a flurry. And it really has been a plethora of cyber incident reporting requirements coming down, not just for companies across the economy, but specifically for government contractors. And we’re following I think it’s 16 separate actions very, very carefully. And those things range from exactly what you said, the SEC had a rule go final last December, that talked about reporting of significant cyber incidents, and it already looks like there are companies out in the economy who are not paying attention to that rule, and has been called to question in several ways in the courts. And so as we move forward with this CIRCIA proposed rule, PSC submitted comments. I think they received close to 300 very substantive, meaty sets of comments. It really is an active space, and contractors are watching it very, very closely.
Tom Temin
Because there doesn’t seem to be a lot of coordination among the agencies that are imposing these rules. Here, you’ve got two we just mentioned that our cyber alone and there might be more coming.
Stephanie Kostro
That’s exactly right. Last year, the second half of 2023, the Office of the National Cyber Director — that’s an office within the White House — released a request for information, asking the public, ‘how can we better harmonize these cyber requirements,’ not just reporting requirements, but across the board. And we, along with others provided some substantive feedback on that. But the landscape continually changes, and we’ve seen lots of proposals introduced, since those comments were due so in the last, say, eight to 10 months, even more cyber incident reporting requirements have come across the transom. Courts are challenging, companies are not necessarily following the rules. It’s really sort of I would liken it to a maelstrom of activity. We are very concerned that some of these reporting requirements might be overly burdensome, particularly on government contractors whose very livelihoods depend on federal work, and they want to be compliant. It’s just what rules should they be more compliant with? It goes back to the old literary references to all these things are created equal, but some are more equal than others. Which ones take precedence for government contractors, which ones should really be the name of the game? And we have some thoughts on that. PSC stands ready to help with collaboration, to help with cooperation with the government to figure out what actually makes our nation more cyber secure, and what incidents should be reported. What ones have the potential to materially impact either the company or the work that the government needs to perform? And so as we move forward, we, alongside several other associations and other companies, want to be helpful in this regard. There’s just so much going on?
Tom Temin
Well, I guess the SEC, to use that example, can only ask publicly traded companies to report and then I presume — I haven’t read their rule — but it would be any incident that might materially affect their being invested in or something, some result that they would have that investors would make a decision on. But in the case of the Cybersecurity and Infrastructure Security Agency, they would be concerned about impacts on the cybersecurity operations and the continuing operations of infrastructure providers. So different purposes for the rules. What’s PSC’s main commentary here? What are you saying, in general, to all these agencies?
Stephanie Kostro
Really happy that you mentioned that, Tom, because some of those government contractors are publicly traded companies. So they are subject to both sets of rules. And our position is, what is CISA trying to do in this space? We want to be supportive of the maintenance and sustainment of government operations, to make sure folks are more cyber secure. So we are hoping to work with them on what entities should be covered, what kinds of cyber incidents should be covered. And to be honest CIRCIA also, this proposed rule talks about ransomware payments or ransom payments. As we move forward, information about payments, etc., that’s important. But does that actually make you more cyber secure? it’s really unpacking what causes the cyber incursions and incidents and preventing them from starting even in the first place. And that is what makes us more cyber secure. And that’s what we at PSC would like to focus on.
Tom Temin
We’re speaking with Stephanie Kostro, executive vice president for policy at the Professional Services Council. There’s another rule reporting situation, of different context, and that is a final rule from the Small Business Administration, getting rid of the idea that you can self-certify that you are service-disabled veteran-owned. And there is a site at which people could do that. That site is not working too well. So what are you finding here? What’s going on?
Stephanie Kostro
I love that you bring this one up as well, Tom, because comments were due here on July 8, regarding this SBA direct final rule, and it’s something that’s not going through their proposed rulemaking process. It’s a direct final rule. And it would implement a section of the fiscal year 2024 National Defense Authorization Act, which eliminates the ability for these service-disabled veteran-owned small businesses to self-certify, to say that they are in fact, service-disabled veterans who have ownership stakes in these small businesses to go through the [Veteran Small Business Certification (VetCERT)] program. We, on the face of it, are supportive of this. It’s the timelines that we are questioning. And here’s the rub. And you mentioned it, Tom: This direct federal rule goes into effect August 5. If you go to the VetCERT program website, they are taking it down to upgrade it on August 1, and it estimates that it will be out for about a month or so, potentially longer, to do system wide upgrades. And what they say is if you’re trying to apply for certification as a service-disabled veteran-owned small business, please wait until this upgrade is over. The issue that we’re facing here is if the website is down and you can’t have new applicants applying for certification here, you’re going to run into a backlog of folks looking for certification. And we wonder whether the SBA has the manpower and the resources necessary to work through that backlog as quickly as they need to. Because, as of October 1 of this year, if you want to get credit for participating as a service-disabled veteran-owned small business, or you have that kind of business among your subcontractors, if you want to claim credit for participation, they have to be certified through this program. So it’s one of these things where I am not entirely sure that, on the face of it, it could be the people writing this direct final rule didn’t talk to the website folks. That happens a lot, not just in government, but across the economy and in companies too. But I hope that they can look at this and go, ‘Hey, maybe we can we can find some wiggle room here for companies to be able to comply with this final rule in a timely manner in a way that makes sense.’ Currently, it just looks like they’re gonna run into a brick wall here.
Tom Temin
Yeah, sounds like the technology and the policy aren’t quite aligned, and not the first time we’ve seen that happen.
Stephanie Kostro
Exactly, exactly. Again, that’s not solely the realm of the government; this happens in companies too. But I would like the SBA, when they read our comments, to note that this is really not a great situation. And they have the power to change some of this.
Tom Temin
All right. And in the couple of minutes we have with you, I wanted to go to a third topic, and that is some of the National Defense Authorization provisions in the House version. And there is a little bit more inflation relief, temporary authority to help adjust for inflation. I’m presuming PSC is in favor of that one?
Stephanie Kostro
We are very much in favor of that. This was a provision that was put into law last year, and it was extended again, and the House passed version of the National Defense Authorization Act for Fiscal 2025 would extend it again. This is temporary authority to allow companies to claim costs incurred for inflation related expenses. And so this is subject to the availability of funds — these kinds of provisions always are — we just like to have the ability for companies to recoup any unexpected expenses due to inflation. And we talked a lot about inflation two years ago, a year and a half ago, even a year ago, it still hasn’t come down to where companies had planned for it to be. And so some of these costs are much higher than they had anticipated and planned for.
Tom Temin
Right. There’s a pretty strong labor market in the United States. And that’s where a lot of the inflation you might see in professional services.
Stephanie Kostro
That’s exactly right, Tom, and we have a tight labor market where we’ve got more job openings than job seekers. And so, as we move forward, we’re gonna have to adjust how we think about labor. And I think we are all for paying laborers more, certainly a wage that they deserve, and even thinking through what the long term implications of this higher-than-expected inflation would be.
Tom Temin
And then there’s the pilot project that the NDAA would launch, and that is that the loser pays for protests, legal costs.
Stephanie Kostro
So this is sort of Groundhog Day for us, Tom, this provision, when if a protest lodged with the Government Accountability Office is denied, that the contractor would pay [the Defense Department] for costs incurred to defend the protest. This was the law of the land from the fiscal year 2018 NDAA; it was repealed. Studies have been done that this kind of approach isn’t the most effective. There aren’t a lot of frivolous protests. And a lot of times GAO comes down not with a clean denial of protest, but something in between where the government and the company work something out. And it’s really unclear to us what would count as a cost incurred by the department in defending a protest. And so, PSC, like we did last year when this provision was in the NDAA, stands ready to talk about negative impacts of protests and to figure out a way that we could help in this regard. I just don’t think rehashing old language is the way to go. And we’re looking to be helpful in that.
The post Contractors see new cyber reporting rules everywhere they look first appeared on Federal News Network.