The Federal Acquisition Regulation (FAR) Council has proposed two new cybersecurity rules that would impose significant obligations and risks for federal government contractors.
- The proposed rules impose substantial cyber incident reporting and information sharing obligations on contractors.
- One will require contractors to indemnify the government against potential or actual loss or damage of government data.
- Both will make it easier for the government to pursue civil or criminal penalties under the False Claims Act against contractors that fail to comply with the new requirements.
On October 3, 2023, the Federal Acquisition Regulation (FAR) Council proposed two rules, Cyber Threat and Incident Reporting and Information Sharing and Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems. The proposed rules partially implement Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, which focuses on improving the nation’s cybersecurity and protecting against cyber threats by revamping incident reporting, information sharing for federal contractors and implementation of related cybersecurity policies. On November 1, 2023, the FAR Council extended the comment period for these proposed rules until February 2, 2024.
As explained below, these rules are significant because they impose extensive and onerous obligations on contractors and their supply chains. In addition, both proposed rules include a statement that compliance with their respective requirements is “material to eligibility and payment under Government contracts.” This language strongly suggests that the government will take the position that failure to comply with these requirements could result in liability under the False Claims Act.
FAR Case 2021-017, Cyber Threat and Incident Reporting and Information Sharing
FAR Case 2021-2017 provides a new FAR clause, FAR 52.239–ZZ, “Incident and Threat Reporting and Incident Response Requirements for Products or Services Containing Information and Communications Technology,” which will impose the following significant obligations on contractors and subcontractors, among others:
Security Incident Reporting Harmonization. Under the new rule, contractors will be required to immediately and thoroughly investigate “all indicators that a security incident may have occurred,” and, within eight hours of discovery, report the incident using the Cybersecurity & Infrastructure Security Agency (CISA) incident reporting portal. Contractors are also required to update the submission every 72 hours thereafter “until the Contractor, the agency, and/or any investigating agencies have completed all eradication or remediation activities.” Notably, these requirements are in addition to other existing cyber incident reporting requirements, such as the 72-hour reporting requirement for incidents involving controlled unclassified information contained in DFARS 252.204-7012.
Access to Contractor Information and Information Systems. Following a security incident, contractors will be required to take certain steps to support the incident response. For example, contractors will have to provide the CISA, the Federal Bureau of Investigation (FBI), the Department of Justice (DOJ) and the contracting agency full access to applicable contractor information and information systems, and to contractor personnel. Contractors will also be required to collect and preserve data and information related to the incident for at least 12 months in active storage, followed by six months in active or cold storage.
Software Bills of Materials (SBOM). For any computer software used in the performance of a contract, contractors will be required to develop and maintain a SBOM, which is defined as “a formal record containing the details and supply chain relationships of various components used in building software.” Contractors will be required to update the SBOM if the computer software is updated during contract performance. This requirement applies regardless of whether a security incident occurs.
FAR 52.239–ZZ will be required in all contracts, including those for commercial items and those below the simplified acquisition threshold. Contractors will also be required to flow this clause down to all subcontracts throughout the supply chain that involve information and communications technology (ICT). ICT is broadly defined as information technology and other equipment, systems, technologies or processes, for which the principal function is the creation, manipulation, storage, display, receipt or transmission of electronic data and information, as well as any associated content.
FAR 2021-019, Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems
The second proposed rule aims to standardize cybersecurity policies, procedures and contractual requirements for contractors that develop, implement, operate or maintain an unclassified federal information system (FIS). An FIS is defined as an information system used or operated by an agency, contractor of an agency or another organization, on behalf of an agency.
This proposed rule creates two new FAR clauses—one that applies to non-cloud FIS, FAR 52.239-YY, Federal Information Systems Using Non-Cloud Computing Services, and one that applies to cloud-based FIS, FAR 52.239-XX, Federal Information Systems Using Cloud Computing Services—which are summarized below:
FAR 52.239-YY, Federal Information Systems Using Non-Cloud Computing Services
- Agencies will: (1) use Federal Information Processing Standard (FIPS) Publication 199 to categorize the FIS based on its impact analysis of the information processed, stored or transmitted by the system; (2) set the necessary security and privacy controls for the FIS in the contract; and (3) address multifactor authentication, administrative accounts, consent banners, IoT device controls and assessment requirements.
- Contractors shall provide the CISA (for civilian agencies) and other specified federal agencies, with timely and full access to government data and government-related data, timely access to contractor personnel involved in performance of the contract, and specifically for the purpose of audit, investigation, inspection or other similar activity, physical access to any contractor facility with government data including any associated metadata.
- Contractors shall: (1) conduct, at least annually, a cyber threat hunting and vulnerability assessment to search for vulnerabilities, risks and indicators of compromise; and (2) perform an annual, independent assessment of the security of each FIS. Upon completion, contractors will submit the results of an assessment, including any recommended improvements or risk mitigations, to the contracting officer.
- Contractors shall: (1) develop, review and update, if appropriate, a System Security Plan to support authorization of all applicable FIS; and (2) have contingency plans for all information technology systems, aligned to NIST SP 800–34, Contingency Planning Guide for Federal Information Systems.
FAR 52.239-XX, Federal Information Systems Using Cloud Computing Services
- Agencies will identify the FIPS Publication 199 impact level and the Federal Risk and Authorization Management Program (FedRAMP) authorization level for all applicable cloud computing services.
- Contractors shall implement and maintain the security and privacy safeguards and controls in accordance with the FedRAMP level specified by the agency.
- Contractors shall engage in continuous monitoring activities and provide continuous monitoring deliverables as required for FedRAMP approved capabilities.
- Contractors shall provide and dispose of government data and government-related data in the manner and format specified in the contract.
In addition to the requirements above, both of these FAR clauses will require contractors to indemnify the government against “any liability that arises out of the performance of the contract and is incurred because of the contractor’s introduction of certain information or matter into Government data or the contractor’s unauthorized disclosure of certain information or material.” The rule also states that contractors shall agree “to waive any and all defenses that may be asserted for its benefit, including (without limitation) the ‘Government Contractors Defense.”’ This indemnification provision may open contractors up to significant risk in the event of a data breach or other incident.
Both of these FAR clauses will apply to all contracts and subcontracts for such services, including contracts below the simplified acquisition threshold and contracts or orders for commercial products or services (including commercial off-the-shelf items).
Contractors are encouraged to review these proposed rules, assess their impact and begin preparations to develop new policies and procedures to become compliant with the new requirements. Comments on these rules are due by February 2, 2024.