February 2, 2024
Re: FAR Case 2021–019
The Operational Technology Cybersecurity Coalition (OTCC) appreciates the opportunity to submit feedback on FAR Case 2021–019, which seeks to amend the Federal Acquisition Regulation (FAR) to partially implement Executive Order 14028 to standardize cybersecurity contractual requirements across Federal agencies for unclassified Federal information systems (FIS).
The OTCC is a diverse group of leading industrial control systems (ICS) and operational technology (OT) cybersecurity vendors covering the entire OT lifecycle. As such, we applaud the decision to require contractors to develop and maintain a list of the physical location of all operational technology equipment included within the boundary for the non-cloud FIS and provide a copy to the Government, upon request. This decision acknowledges the evolving nature of cyber threats and the interdependence between information technology (IT) and OT systems and reflects a shift toward a more holistic approach to safeguarding FIS.
In building out specific guidance for the rule, we encourage you to take into account these additional considerations.
Standardize the OT Equipment List
The proposed rule does not specify a format for the OT equipment list. It simply says that “contractors must ensure that the list includes enough information about the equipment to positively locate and track any movement of the equipment during contract performance, including details on password protection and the ability for remote access to the equipment.”
In order to ensure that contractors are tracking the necessary information for the government to take action in the event of a cyber breach, we encourage the rules to include more specifics about the information the government needs to receive, with appropriate flexibility to accommodate the diverse nature of FIS. We also recommend that the government specify the format of the data in a way that is technically neutral and readable to avoid vendor lock-in to a specific format. This additional information would further standardize this requirement and avoid an agency-by-agency approach.
Provision of the List to the Government
The proposed rule includes generic language requiring companies to “provide the Government with a copy of the current and/or historical lists, upon request.” This presumably means that the contractors would be required to give the list to the contracting agency, since no other agency is otherwise specified in the proposed rule.
These OT equipment lists present possible security risks to government networks by effectively serving as “roadmaps” for malicious actors seeking to understand the networks and exploit vulnerabilities. The OT equipment lists could also reveal sensitive intellectual property information or give companies insights into components and dependencies of their competitors’ technological architecture, making it possible for them to replicate or surpass the services offered by their competitors. Therefore, any collection and storage of OT equipment lists must be securely transmitted and stored. Before any OT equipment list requirements are imposed, the government needs to establish a secure system for transmitting and storing OT equipment lists, as well as establish clear guidelines that govern when, how, and under what circumstances OT equipment lists can be accessed and used.
Further, not having a single entity in charge of receiving, reviewing, and storing the OT equipment lists puts the information at risk due to varying levels of cybersecurity maturity at each agency. It therefore makes more sense to develop a central, secure database to maintain vendor information that can in turn be accessed by agencies that need to access a contractor’s OT equipment lists.
Again, the OTCC thanks you for the opportunity to share our concerns with FAR Case 2021–019 and looks forward to further engagement on this issue.
Sincerely,
Andrew Howell
Executive Director, OTCC
Comentarios