Federal CISO Chris DeRusha promises that the Federal Acquisition Regulation will be updated to require contractors to disclose cyber incidents—“a pretty logical thing to do”—but it will take a year or two to make happen. OMB has submitted two proposals taking steps down that road, and agencies already are taking independent steps in that direction. For example, the Department of Education has implemented a FAR deviation to include supply chain actions, secure software requirements, and Federal Risk and Authorization Management Program adherence in contracts, which it is using to award contracts to compliant startups over incumbents.
Source:
