Be Heard: Government Contractors Facing Two Significant Changes to Cybersecurity Regulations

On October 3, 2023 DoD, GSA, and NASA proposed two changes to Federal Acquisition Regulations aimed at strengthening the Federal government’s cybersecurity posture and implement E.O. ?14028, which requires agencies to enhance cybersecurity and software supply chain integrity.

?

The first proposed rule would standardize cybersecurity requirements for unclassified Federal information systems (FIS). Compliance with these new requirements is material to eligibility and payment under government contracts. This rule also applies to acquisitions for commercial products, including COTS items, and commercial services because Government data and systems require protection regardless of dollar value or commerciality of the product or service. The new FAR clauses are prescribed for use in solicitations and contracts for services to develop, implement, operate, or maintain a FIS.

?

The second? proposed rule would add new incident threat reporting requirements for Federal contractors. It aims to strengthen and standardize contract requirements for cybersecurity and by “providing mechanisms to help ensure that entities or individuals that knowingly put U.S. information or systems at risk, by violating these cybersecurity requirements, are held accountable.” These new rules could potentially:

?

1)????? require offerors to represent that they have submitted all security incident reports in a current, accurate and complete manner; and represent whether they have required each lower tier subcontractor to include the requirements in their subcontract;

2)????? require contractors to develop and maintain a software bill of materials (SBOM) for any software used in the performance of the contract regardless of whether there is any security incident; and

3)????? significantly expand agency (CISA, FBI, or contracting agency) access to contractor information, equipment, and to contractor personnel.

?

Comments on both proposed FAR changes are due before December 4, 2023 to be considered in the formation of the final rule.

?

#GovCon #cybersecurity