Proposed FAR Revisions Aim to Standardize Cybersecurity Requirements Across Agencies and Add Incident Reporting Obligations for Contractors

King & Spalding
Contact

On October 3, the Department of Defense, General Services Administration, and the National Aeronautics and Space Administration published two sets of proposed revisions to the Federal Acquisition Regulation (“FAR”) pertaining to cybersecurity of the government’s information systems. The proposed regulations stem from Executive Order 14028 on Improving the Nation’s Cybersecurity, issued by the White House in 2021.

The first set of revisions, titled “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems,” would aim to harmonize the currently agency-specific policies on cybersecurity. As proposed, the regulations, among other things, (i) add a new FAR subpart 39.X to prescribe policies and procedures for agencies when acquiring services to develop, implement, operate, or maintain a federal information system (“FIS”), and (ii) add two new FAR clauses to be used in contracts for services to develop, implement, and operate, or maintain a FIS: one addressing contracts that use non-clouding computing services (addressing records management, government access, assessments, and certain security and privacy controls) and another addressing FIS using cloud computing services (addressing safeguards, controls, and maintenance of certain systems, government data, and other protections).

The second set of revisions, titled “Cyber Threat and Incident Reporting and Information Sharing” would establish incident reporting and information sharing requirements to be included in government contracts. These requirements would be captured in a clause that would be inserted by references to FAR provisions with lists of “Standard Contract Terms Required to Implement Statutes or Executive Orders.” The new reporting regulation would impose five requirements: (i) develop and maintain a software bill of materials for software used to perform a government contract; (ii) make systems available to government analysts and investigators; (iii) provide full access to applicable information, systems, and personnel to both Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigations, and the Department of Justice in response to a security incident; (iv) comply with reporting requirements when operating in foreign countries; and (v) promptly report suspected security incidents, including investigating within 8 hours of discovery that a security incident may have occurred.

Non-compliance with the new requirements may create potential liability not only under the applicable government contract but also under the Federal False Claims Act (“FCA”). The FCA authorizes private rights of action by relators, and the related penalties are up to three times the government’s damages in addition to a penalty of up to $27,018 per claim.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© King & Spalding

Written by:

King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide