Bloomberg Law
Feb. 6, 2023, 10:00 AM

As Cyberattacks Become ‘So Cheap,’ US Vendors Prep for New Rules

Josh Axelrod
Josh Axelrod

An aggressive top-down push to improve federal offices’ cybersecurity will alter workflows for contractors, and the private sector is joined by some voices within the government in objecting to additional regulatory requirements.

Modifications to how vendors manage software sales to breach incident reporting are all coming up in 2023.

The spate of new rules, frameworks, and strategies reflects a dynamic threat landscape in which bad actors have successfully attacked hospital systems, school district networks, and even local drinking supplies. Critical infrastructure all the way up to the government’s trove of sensitive data are at constant risk.

“The scary fact is that the ability to procure the tools and techniques to compromise federal systems have gotten so cheap and so readily available through ransomware gangs, through ransomware-as-a-service, through just scripts posted on ‘here’s how you take down this vulnerability,’” Matt Hayden, vice president of cyber client engagement for GDIT, told Bloomberg Government.

The federal market for cyber equipment, software, and services used to protect networks, computers, programs, and data from attack reached an all-time high of $8.7 billion in fiscal 2022, a 180% increase over the last decade.

National Cybersecurity Strategy

Cybersecurity professionals are expecting President Joe Biden to release his National Cybersecurity Strategy imminently. The president will call for more regulation on critical infrastructure sectors.

Chris Inglis, the national cyber adviser and architect of the strategy, announced his retirement in December and his departure is likely to be timed to publication.

While the strategy won’t have any regulatory teeth itself, it could prompt action for agencies to move on new rules—especially in sectors like pipelines and wastewater systems.

“The strategy is naturally setting the tone and then you’re going to have to see how the implementation is at the agency level,” Drew Bagley, vice president and counsel for privacy and cyber policy at CrowdStrike, said. “But what I would anticipate is that you’re going to have the bar raised for what’s expected from critical infrastructure entities.”

Action that could follow also includes the Office of Management and Budget issuing requirements to agencies, more Biden executive orders, or the Cybersecurity and Infrastructure Security Agency creating binding operational directives to safeguard federal information systems.

SEC Cyberattack Reporting

The Securities and Exchange Commission is finalizing a rule to require publicly traded companies to report cyberattacks to investors within four business days.

Because a cyberattack can result in costs related to business interruption, ransom payments, increased insurance premiums, and litigation, boards of directors must bolster their companies’ cybersecurity risk management, the SEC reasoned in its proposed rule last year.

Boards will have to report when the incident was discovered, what happened, whether data was stolen, how the incident affected operations, and what remediation steps have been taken.

What exactly will qualify as a “material cybersecurity incident” requiring disclosure is still unclear, however. The regulation is in the final rule stage and is expected in April, according to OMB.

The rule has received fierce pushback from the private sector over its ambiguity, practicality, and overlapping mandates. A group of 34 trade associations wrote a letter to the SEC last June laying out its concerns.

“You’ve got this range of different people that you have to report to at different times,” Davis Hake, the Obama administration’s director for federal IT security on the National Security Council, told Bloomberg Government. “And the ability to actually do this operationally does start to create a huge headache.”

Contractors at publicly traded companies can begin preparing by educating their boards on cyber threats and updating their incident response playbooks to include reporting to the SEC.

Secure Software Attestation

Another new rule will require software vendors to provide federal agencies with self-attestation letters, certifying that their products meet National Institute of Standards and Technology guidance.

Federal Acquisition Regulation officials are still working to finalize the proposed rule, but the General Services Administration has already said it will start collecting attestations by June 12.

Biden issued an executive order in 2021 on “Improving the Nation’s Cybersecurity,” requiring OMB to recommend language for updating federal procurement rules. It is a response to a major cyber breach in 2020 that compromised SolarWinds software and others and went undetected for months.

GSA is in the process of developing training on the new rule and “anticipates a forthcoming FAR rule will provide definitive instructions for the requirements of the attestation at the contract level.” The agency plans to use a Cybersecurity and Infrastructure Security Agency form that it expects to be available before June on GSA’s website.

Both vendors and agency contracting offices have complained the rule needs much clarification on who will collect the attestation letters and how to scale it across the government.

“I don’t know how that can possibly work,” Joanne Woytek, NASA program manager for the governmentwide acquisition contract known as SEWP, said at a GovExec event last week.

Earlier: Newest Software Cybersecurity Rule Draws Jeers from Agencies

Contractors may “have to do some digging” especially if they use third party partners,” according to Hayden.

“You may have to pick up the phone and say, ‘Hey, I’m looking at my index of all of your index of index of indexes and I’ve got some gaps. Do you have an update on your software bill of materials for product X and version number Y?,’” Hayden said.

“It’s something everyone in that supply chain should be expecting by this point. So there’s not going to be a software vendor in business today that doesn’t already have an idea of what building blocks they’re using,” he added.

CMMC 2.0

There has been a drawn-out transition to the 2.0 iteration of the Defense Department’s Cybersecurity Maturity Model Certification program, which has been in place since 2020. There’s a lack of clarity on the program’s timeline and a CMMC 2.0 compliance date for defense industrial base contractors is up in the air.

“1.0 was in draft for six-plus years, so I think it’s still in draft in a lot of ways,” Vishaal “V8" Hariprasad, chief executive officer of cybersecurity company Resilience, said. “I don’t hold out too much hope for CMMC moving out of draft status or coming into a final status anytime soon.”

The new framework will be implemented through the rulemaking process, which the DOD said can take up to two years since the program was first announced in November 2021.

“The scale and scope of what they’re trying to do, while admirable, is not going to move at the speed of the cyber threat environment,” Hariprasad said. “Standards have come and changed, iterated multiple times, while CMMC 1.0 has still been in draft. I do worry that these type of standards are just not going to be able to keep up with an evolving threat landscape.”

CMMC 2.0 will be tied more closely to NIST standards that defense contractors should already be familiar with. It will allow for some self-assessments in order to streamline the review process as well as institute a network of independent third-party assessors.

To contact the reporter on this story: Josh Axelrod in Washington at

To contact the editors responsible for this story: Amanda H. Allen at; Jay-Anne B. Casuga at