Alert

FAR Council Proposes Pair of Major Cybersecurity Rules for Government Contracts

October 3, 2023

WHAT: The Federal Acquisition Regulatory Council (FAR Council) proposed a pair of major cybersecurity rules intended to implement key parts of President Biden’s May 2021 Executive Order No. 14028 on Improving the Nation’s Cybersecurity. The proposed rule in FAR Case No. 2021-0017 primarily addresses incident reporting and applies broadly to all contractors that use information and communications technology systems in the performance of a government contract. The proposed rule in FAR Case No. 2021-0019 aims to standardize security requirements for federal information systems (FIS)—the types of information systems and technology that contractors provide or maintain for the Government as a contractual obligation. Both propose significant new obligations for federal contractors.

WHEN: The FAR Council issued both proposed rules today with a request for comments within 60 days (Due December 4, 2023).

WHAT DOES IT MEAN FOR INDUSTRY: If adopted in its current form, the FAR Council’s proposed rule on incident reporting (FAR Case No. 2021-0017) is likely to have the most broad reaching impact—applying across federal agencies and to all contract types, affecting approximately 75 percent of contractors, according to the FAR Council. The proposed contract clause included with the rule also would demand more from contractors than the current Department of Defense (DoD) contract clause at DFARS 252.204-7012 or the FAR clause at 52.204-21, such as “security incident” reporting to the Cybersecurity & Infrastructure Security Agency (CISA) within eight hours of discovery and every 72 hours thereafter. And, although the FAR Council frames the rule as focused on incident reporting, it includes significant requirements that apply even when a contractor has not been affected by a security incident. Paragraph (c)(3) of the proposed contract clause, for example, would require all contractors to maintain and provide a current Software Bill of Materials (SBOM) “for each piece of computer software used in performance of the contract.” The proposed rule also requires contractors to certify, as a condition of receiving future contracts, that they have “submitted in a current, accurate, and complete manner, all security incident reports required by” the contract clause proposed in this rule.

The proposed rule in FAR Case No. 2021-0019 is intended to standardize the requirements for FIS provided or maintained as part of a contractual requirement. Although the proposed rule focuses on defining the cybersecurity requirements that contractors must implement for these FIS, it also includes other notable obligations such as a requirement to indemnify the Government for a broad range of potential liabilities arising from both introducing unauthorized data or information into a government system or releasing information from a government system without authorization.

The Wiley team will provide further details on the key elements of both rules in a forthcoming follow-up Alert.

Read Time: 2 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek