This is an advisory update of key responsibilities for contractors under a proposed new Federal Acquisition Regulation (FAR) rule that standardizes cybersecurity requirements for a Federal Information System (FIS). The Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) issued this proposed new rule on October 3, 2023. If adopted, this new rule will apply if you are awarded a contract to develop, operate, or maintain an unclassified FIS on behalf of an agency. The proposed rule aims to standardize and streamline cybersecurity requirements for FIS across agencies. It would require two new FAR clauses in applicable contracts for an FIS that uses: cloud computing services (52.239-XX) and non-cloud computing services (52.239-YY).
Here is a summary of key compliance areas that federal contractors subject to the new rule will need to address:
- Implement security controls based on the Federal Information Processing Standard (FIPS) 199 impact categorization (low, moderate, high) of the system and guidelines in National Institute of Standards and Technology (NIST) SP 800-53, 800-161, 800-82. For cloud systems, comply with Federal Risk and Authorization Management Program (FedRAMP) security requirements.
- Develop, review, and update a System Security Plan that describes how security requirements are implemented. Provide a copy to the agency upon request.
- For moderate/high impact systems, conduct annual independent assessments—penetration testing and cyberthreat hunting. Submit results and recommendations to the contracting officer.
- Provide a continuous monitoring strategy that maintains ongoing awareness of vulnerabilities and threats, and applies automation where possible. Make the strategy available to the agency upon request.
- Develop and maintain a list of the physical location(s) of operational technology equipment. Update for any changes and provide a copy to the agency upon request.
- Comply with applicable Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directives that are relevant to the system.
- Follow limitations on access to and use of government data. Notify the contracting officer of any third-party requests for access to data.
- For cloud services, high-impact systems must maintain data within the U.S. unless an exception is granted. Dispose of data as specified in the contract.
Comments on the proposed rule are due by December 4, 2023, and may be submitted using the Federal eRulemaking portal at: https://www.regulations.gov and searching for “FAR Case 2021–019.”
Please consult your legal advisor for any additional questions about these cybersecurity compliance responsibilities.