On October 3, the Department of Defense, General Services Administration, and the National Aeronautics and Space Administration published two sets of proposed revisions to the Federal Acquisition Regulation (“FAR”) pertaining to cybersecurity of the government’s information systems. The proposed regulations stem from Executive Order 14028 on Improving the Nation’s Cybersecurity, issued by the White House in 2021.
The first set of revisions, titled “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems,” would aim to harmonize the currently agency-specific policies on cybersecurity. As proposed, the regulations, among other things, (i) add a new FAR subpart 39.X to prescribe policies and procedures for agencies when acquiring services to develop, implement, operate, or maintain a federal information system (“FIS”), and (ii) add two new FAR clauses to be used in contracts for services to develop, implement, and operate, or maintain a FIS: one addressing contracts that use non-clouding computing services (addressing records management, government access, assessments, and certain security and privacy controls) and another addressing FIS using cloud computing services (addressing safeguards, controls, and maintenance of certain systems, government data, and other protections).
The second set of revisions, titled “Cyber Threat and Incident Reporting and Information Sharing” would establish incident reporting and information sharing requirements to be included in government contracts. These requirements would be captured in a clause that would be inserted by references to FAR provisions with lists of “Standard Contract Terms Required to Implement Statutes or Executive Orders.” The new reporting regulation would impose five requirements: (i) develop and maintain a software bill of materials for software used to perform a government contract; (ii) make systems available to government analysts and investigators; (iii) provide full access to applicable information, systems, and personnel to both Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigations, and the Department of Justice in response to a security incident; (iv) comply with reporting requirements when operating in foreign countries; and (v) promptly report suspected security incidents, including investigating within 8 hours of discovery that a security incident may have occurred.
Non-compliance with the new requirements may create potential liability not only under the applicable government contract but also under the Federal False Claims Act (“FCA”). The FCA authorizes private rights of action by relators, and the related penalties are up to three times the government’s damages in addition to a penalty of up to $27,018 per claim.