On October 3, 2023, the FAR Council released two proposed rules for federal contractor cybersecurity requirements that relate to cyber threat and incident reporting and information sharing (case 2021-017) and standardizing cybersecurity requirements for unclassified federal information systems (case 2021-019). Both proposed rules not only provide new requirements for federal contractors to follow but also provide new definitions and contract provisions for information and contract technology and federal information systems contracts.
Cyber Threat and Incident Reporting and Information Sharing
This proposed rule will apply to contracts where information and communications technology (ICT) is used or provided in the performance of the contract. In addition to new definitions for terms such as “operational technology,” “telecommunication services,” and “security incident,” the proposed rule includes requirements and representations for federal contractors in areas such as “preparation and maintenance activities,” enhanced collaboration with agencies, and subcontractor compliance. These new requirements for federal contractors include, but are not limited to:
- Developing and maintaining a Software Bill of Materials for any software used in contract performance.
- Allowing access and cooperating with the Cybersecurity & Infrastructure Security Agency for purposes of threat hunting and incident response.
- Reporting security incidents to CISA within eight hours of discovery of the security incident, and providing updates every 72 hours until it is remediated.
The rule also includes new provisions regarding security incident reporting that must be included in all solicitations and contracts and will flow down to subcontracts.
Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems
This proposed rule will provide standardized requirements for contractors that develop, implement, operate, or maintain Federal Information Systems (FIS). In addition to providing an updated definition of FIS, the rule establishes new contract requirements and provisions for FIS contracts with different requirements and provisions if the FIS uses non-cloud computing services or cloud computing services. Specifically, both contract provisions include indemnification provisions that will require contractors to indemnify the government for “potential or actual loss or damage to government data”.
It is important to note that while there is no date for the enactment of the proposed rules, both proposed rules state that compliance with the requirements imposed by them is “material to eligibility and payment under government contracts.”
Stay tuned for updates and comments on these rules.