COGR, EDUCAUSE, and AAU Submit Joint Comment Letter to GSA on Cyber Threat and Incident Reporting & Information Sharing (FAR 2021-017)

EDUCAUSE, COGR, and the Association of American Universities (AAU) submitted comments expressing concern over the scope and impact of the proposed changes in Federal Acquisition Regulation Case 2021-017, which would require all federal contractors—including higher education institutions engaged in fundamental research—to comply with broad cyber incident reporting and software bill of materials (SBOM) requirements. They argue that these mandates, as currently drafted, would impose significant administrative burdens and costs on academic research with little benefit to federal cybersecurity, chiefly due to the overly broad definitions and applicability regardless of actual risk. The organizations recommend that the government clarify and tailor the requirements through supplemental rulemaking, adopt a risk-based approach, and ensure that regulations are appropriate to contracting contexts, particularly to avoid unnecessary impacts on fundamental research.