Chamber pushes back on cyber rules for contractors

Chamber pushes back on cyber rules for contractors
© Thinkstock

The U.S. Chamber of Commerce is concerned that the White House’s looming cybersecurity requirements for federal contractors will become a “checklist” that isn’t robust enough to address evolving threats.

“The guidance needs to be dynamic and not become an ossified checklist of requirements that fails to respond to actual threats to agencies’ and contractors’ information networks and systems,” the business lobby said in a Thursday letter responding to the draft proposal put out by the Office of Management and Budget (OMB). 

Part of a broad effort to improve federal network security in the wake of several high-profile breaches, the new rules would require government contractors handling sensitive data to meet baseline security requirements and report digital intrusions to authorities. 

The Chamber’s letter offers a wide-ranging list of recommendations for changing the proposal, criticizing the current draft as overly vague. 

“The OMB guidance document seeks to achieve a certain level of cybersecurity consistency in federal procurement contracts,” the Chamber writes. “But the level of cybersecurity sophistication required under the contracts is seemingly unclear.”

The guidance should create a framework that would allow contractors to progress from one tier to another as the degree of risk management required to protect data increased, the Chamber suggests.

“Some contractors would not be handling controlled unclassified information [CUI] but still need to use adequate cybersecurity practices,” the Chamber writes. “Conversely, other contractors would be handling CUI and their cybersecurity practices ostensibly need to be at minimum or higher levels of maturity, relative to the importance of the CUI.” 

The Chamber also expressed concerns that the guidelines provide unclear definitions of terms like “cyber incident” and “controlled unclassified information.”

Calling the 30-day comment period that closed Sept. 10 “too short to allow for organizations to provide sufficient input,” the Chamber requested more time for public comment on the proposed regulations.