EDUCAUSE Comments: FAR Cyber Incident Reporting

Abstract

On February 2, 2024, EDUCAUSE was joined by COGR and the Association of American Universities (AAU) in submitting comments on proposed changes to the Federal Acquisition Regulation (FAR) that could impose cyber incident reporting and software bill of materials (SBOM) development/maintenance obligations on all federal contractors, including colleges and universities.

EDUCAUSE and its partners noted that the original concept behind the proposal—to impose the possible requirements on direct providers of information technology (IT) and operational technology (OT) goods and services to federal agencies—made sense given the immediate impact that the cybersecurity problems of those providers could have on the cybersecurity posture of the relevant federal agencies and possibly the government as a whole. The associations argued, however, that extending cyber incident reporting to all federal contractors—especially when, in the case of colleges and universities, the security issues in question were unlikely to have any significant implications for federal government cybersecurity—had the potential to create a very significant, counter-productive “signal-to-noise” problem due to the volume of overreporting that would likely ensue. EDUCAUSE, COGR, and AAU also stressed that the proposed SBOM development/maintenance provisions might be workable in some commercial software contexts, but they could easily generate substantial resource drains without producing any significant benefits in relation to federal government cybersecurity when applied to higher education research environments and projects.