The government has proposed revisions to the Federal Acquisition Regulation (FAR) to help boost and standardize the cybersecurity measures of the government’s information systems. These were initiated in May 2021 by Executive Order 14028 to improve the nation’s cybersecurity, issued on May 12, 2021. The FAR draft changes require that Cybersecurity requirements are standardized and create new information sharing rules in regards cyber threats and Incident reporting. The proposed changes were issued on October 3, 2023 and published in the Federal Register as “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems.
First, the Department of Defense (DoD), the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) proposed revisions to the FAR to standardize cybersecurity requirements for unclassified federal information systems (FISs). Because government contract requirements are “largely based on agency-specific policies and regulations” that can result in “inconsistent security requirements across contracts,” the new regulations seek to harmonize the requirements across federal agencies.
FAR Case c 2021-019 proposes that the DOD, GSA, and NASA standardize their cybersecurity contractual requirements throughout all Federal agencies for Federal Information systems (FIS). This would apply to all acquisition policies, procedures, and requirements regarding cloud and non-cloud FIS.
The new FAR clauses are FAR Clause 52.239-YY (FISs Using Non-Cloud Computing Services) and FAR Clause 52.239-XX (FISs Using Cloud Computing Services).
FAR 52.239-YY will require agencies to use Federal Information Process Standard (FIPS) publication 199 to identify security and privacy controls when agencies outline their acquisition requirements. Part of the new rule will require agencies to use multifactor authentication processes, consent banners, and assessment requirements for every contract. In addition, FAR Clause 52.239-YY requires contractors to provide government representatives with timely and full access to Government and Government-related data, as well as timely access to contractor personnel involved in contract performance, and access to any contractor facility with government data, including metadata.
FAR Clause 52.239-XX states that when acquisition of services that develop, implement, operate, or maintain cloud computing services, agencies will use FIPS publication 199 impact level and the Federal Risk and Authorization Management Program (FedRAMP) authorization level for all applicable cloud computing services in the contract.
Cybersecurity Requirements Would Increase Contractor’s Obligations
Secondly, DoD, GSA, and NASA proposed new cyber threat incident reporting and information sharing requirements that will apply to contractors (and their first-tier subcontractors) under revised FAR clauses to be included in government contracts that pertain to the use of information and communications technology (ICT), which may apply to 75 percent of all Federal contractors
If implemented as proposed, these regulations will require contractors to take additional steps to ensure an effective incident response and investigation of potential incidents. The proposed rule expands a number of definitions—including such items as ICT, what constitutes a security incident to a Federal information system that qualifies for the reporting requirements.
The requirements also include to provide federal law enforcement agencies and the contracting agency full access to applicable contractor information and information systems, and contractor personnel, when an incident is reported by the contractor or if the government identifies a Threat. Contractors would be required to “immediately and thoroughly” investigate a situation where a security incident may have taken place. Contractors would be mandated to report any such incidents through the Cybersecurity and Infrastructure Security Agency (CISA) portal within 8 hours of the occurrence. Contractors would be required to grant CISA and law enforcement full access to applicably contractor information systems.
A new requirement would be the development of a Software Bill of Materials (SBOM) that would identify any software that is used by the contractor in contract delivery, even when no security incident has occurred. With respect to non-cloud-based services, contractors would be required to annual cyberthreat and vulnerability assessments. For cloud-based services, contractors would be required to maintain safeguards as those established by the FedRamp program and conduct continuous monitoring.
For any additional questions, contact Coley at hello@coleygsa.com, by phone at 210-402-6766, or schedule a call at a time convenient for you. In addition, you can visit FedMap and join the online community where contracting entrepreneurs connect with growth-minded peers to network and discuss contracting challenges.
Senior Consultant with Coley GCS, LLC, a Government Contracts Consulting, Coaching and Training company. Published author and certified FedMap Coach with over 40 years’ experience working with Federal agencies and contractors.