The Department of Defense, NASA and the General Services Administration have proposed a rule that aims to promote information sharing on cyberthreats and incidents between the government and information and operational technology service providers in accordance with the 2021 cybersecurity executive order.
The agencies introduced the rule as an amendment to the Federal Acquisition Regulation and as part of efforts to strengthen and standardize contract requirements for cybersecurity in support of the National Cyber Strategy’s implementation, according to a Federal Register notice published Tuesday.
The proposed regulation includes a requirement for contractors to create and maintain a software bill of materials for any software offerings used in contract work. The agencies want insights from the public on several questions, including the approach for collecting SBOMs from contractors and challenges facing vendors when it comes to SBOM development.
GSA, NASA and DOD are also seeking responses from interested stakeholders on questions pertaining to access to contractor data and information systems, compliance when reporting in a foreign country and security incident reporting harmonization.
Interested parties can submit written comments on the proposed rule through Dec. 4.