Two long-awaited proposed FAR rules on cybersecurity requirements to be published on October 3, 2023, would standardize language and processes across Government but could have far-reaching financial and administrative impacts to existing and future contractors in order to comply, particularly small businesses. We break down the proposed changes below.
FAR Case 2021-017 Cyber Threat and Incident Reporting and Information Sharing.
This 72-page proposed rule would partially implement E.O. 14028, Improving the Nation’s Cybersecurity (5/12/22) and implements OMB Memorandum M-21-07, Completing the Transition to Internet Protocol Version 6 (IPv6) (11/19/2020). Items of note in this proposed rule are:
Changes to the definition of Information and Communication Technology (ICT) to:
Move the definition of “Information system” from FAR 4.1901 to FAR 2.101.
Add definitions for “internet of things (IOT) devices”, “operational technology”, “telecommunications equipment” and “telecommunications services”.
FAR Part 39. Several changes include:
Adds a definition of “Supplier’s declaration of conformity” derived from NIST SP 500-281B.
Revises the title of FAR 39.106 to “Internet Protocol version 6 (IPV6)” with subsections added for policy and waiver requirements, and updates FAR 7.105, FAR 11.002, FAR 12.202, and FAR 39.101 to point to this new section.
Adds a new FAR subpart 39.107 Response to incident reports and requests for information or access.
Moves provisions and clauses previously found in FAR 39.106 to a new FAR 39.108 and adds the following new clause and provision.
FAR clause 52.239-ZZ (TBD), Incident and Threat Reporting and Incident Response Requirements for Products or Services Containing Information and Communications Technology. This clause establishes new definitions and coverage for:
Requests for security incident reporting.
Supporting incident response, which provides CISA, the Federal Bureau of Investigation (FBI) in the Department of Justice, and the contracting agency full access to applicable contractor information and information systems, and to contractor personnel, in response to a security incident reported by the contractor or a security incident identified by the Government, as required by the E.O.
Cyber threat indicators and defensive measures reporting.
IPv6.
NOTE: Requires flow down to lower tier subcontractors.
FAR provision 52.239-AA (TBD), Security Incident Reporting Representation, for offerors to represent that they have submitted all security incident reports in a current, accurate and complete manner; and represent that they have required each lower tier subcontractor to flow down the FAR clause 52.239-ZZ in their subcontracts.
The proposed new provision and clause would be applicable to solicitations and contracts below the simplified acquisition threshold and for commercial products (including COTS items) and commercial services.
Adds a new requirement for contractors to develop and maintain a software bill of materials (SBOM) for any software used in the performance of the contract regardless of whether there is any security incident. SBOMs are described at section 10(j) of E.O. 14028. This requirement is proposed to also flow down to subcontractors.
Requires access by and cooperation with the Cybersecurity and Infrastructure Security Agency (CISA) engagement services related to threat hunting and incident response in order to provide visibility into systems to observe adversary activity, and to be taken only after consultation between the contractor and the contracting agency.
Requires additional actions to support incident response when primes or subcontractors are operating in a foreign country.
Updates existing FAR provision and clauses as necessary to conform and align with the proposed changes.
IMPORTANT: The Government is asking for industry input in several key areas:
Anticipated impact of including a requirement to develop SBOMs. (pg 10)
CISA, FBI, and/or contracting agency access to information, equipment, personnel; safeguards to access; and privacy and civil liberties. (pgs 11-12)
Scenarios where businesses could not comply or would be prevented from complying with the FAR clause 52.239-ZZ due to a country’s laws or regulations. (pg 13)
Security incident reporting harmonization between government and industry (including DFARS 52.204-7012, Homeland Security Acquisition Regulation (HSAR), Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), and the National Industrial Security Program Operating Manual (NISPOM)). (pgs 16-18)
The Government’s estimate of the financial impacts to the public and Government are summarized starting on page 19 of the proposed rule and the number of entities and burden hours on pages 31-34.
The Government has summarized the compliance requirements beginning on page 28 for the new clause (-ZZ) as referenced above. They include:
providing information regarding reportable incidents to CISA and to affected agencies, and any updates until eradication or remediation activities are completed.
conducting data preservation and protection and providing to the Government, if requested.
developing, storing, and maintaining customization files, and providing to the Government, if requested.
developing and maintaining a software bill of materials (SBOM) and providing or providing access to the SBOM (and its updates) to the Government.
providing to the Government and any 3rd party authorized assessor all incident and damage assessment information identified in the clause, if the Government elects to conduct an incident or damage assessment.
if applicable, submitting malicious code samples or artifacts to CISA within 8 hours of discovery and isolation of the malicious software.
providing access to additional information or equipment necessary for forensic analysis, upon request by the Government, and time to cooperate with the Government on ensuring effective incident response, corrections, or fixes, and time to confirm validity of request from CISA by contacting the CISA Hotline and notifying the contracting officer.
subscribing to the Automated Indicator Sharing (AIS) capability or successor technology during the performance of the contract and sharing cyber threat indicators and recommended defensive measures in an automated fashion using AIS.
implementing delta capabilities required for moving to IPv6 for ICT products and services using internet protocol (capabilities in NIST SP 500-267B).
provide a corresponding supplier’s declaration of conformity in accordance with the USGv6 Test Program (see NIST SP 500-281A).
for which the agency CIO has approved a waiver of IPv6 requirements, to develop and provide an IPv6 Implementation Plan to the Government that details how the contractor plans to incorporate applicable mandatory capabilities recommended in the current version of NIST SP 500-267B into products and services provided to the Government.
Comments are due February 2, 2024 (see extension of comment period here). Submit comments in response to FAR Case 2021-017 to the Federal eRulemaking portal at https://www.regulations.gov by searching for “FAR Case 2021-017". Select the link “Comment Now” that corresponds with “FAR Case 2021-017”. Follow the instructions provided on the “Comment Now” screen. Include your name, company name (if any), and “FAR Case 2021-017” on your attached document. If your comment cannot be submitted using https://www.regulations.gov, call or email the points of contact in the FOR FURTHER INFORMATION CONTACT section of the proposed rule document for alternate instructions.
------------------------------------------------------------------------------------------------------------------------------
FAR Case 2021-019 Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems
This 115-page proposed rule would partially implement E.O. 14028, Improving the Nation’s Cybersecurity (5/12/22) and the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 (Pub. L. 116-207) Section 7, Paragraphs (a) and (b)(1). The proposed rule would standardize language and minimum cybersecurity standards across government to those derived from the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) in an effort to protect and secure cloud-based, on-premises, or hybrid Federal Information Systems (FIS) used or operated by an agency, by a contractor of an agency, or by another organization on behalf of an agency.
(NOTE: This proposed rule does not implement the Office of Management and Budget (OMB) Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (dated 9/15/2022).
Items of note in this proposed rule are:
New FAR Subpart 39.X (TBD), Federal Information Systems. This new subpart will outline policies and procedures when acquiring services to develop, implement, operate, or maintain a FIS.
New and revised definitions in FAR Subpart 2.101 and 39.X using current language from statute, regulation, OMB memoranda and circulars, and National Institute of Standards and Technology (NIST) Special Publications (SP) guidance.
New FAR Subpart 39.X02-1(b), Prohibited IoT devices in Federal information systems, to implement Section 7 Paragraphs (a) and (b)(1) of the Act previously referenced to ensure applicability of the rule to acquisitions valued at or below the simplified acquisition threshold, including acquisitions for commercial products (including COTS items) and commercial services.
Two new FAR clauses to be used in contracts for services to develop, implement, operate, or maintain a FIS.
FAR Clause 52.239-YY Federal Information Systems Using Non-Cloud Computing Services.
FAR Clause 52.239-XX Federal Information Systems Using Cloud Computing Services
The proposed new clauses would not be applicable to solicitations and contracts below the simplified acquisition threshold but would be applicable for commercial products (including COTS items) and commercial services.
Conforming changes to FAR Parts 4, 7, 27, and 39 to further implement changes in appropriate acquisition phases and when taking certain actions.
The Government’s estimate of the impacts to the public and Government are summarized on page 22-48 of the proposed rule, and the number of entities and burden hours for both industry and Government are found on pages 53-54.
The Government has summarized the compliance requirements for contractors awarded a contract or subcontract to develop, implement, operate, or maintain a FIS begin on page 50. They include:
Non-Cloud FIS:
Read and become familiar with the rule, as well as review the applicable standards documents identified in the rule.
Develop and maintain a detailed list of the physical location of all operational technology (OT) equipment included within the boundary of the non-cloud FIS for the duration of the contract in order to affirmatively locate the OT equipment, when necessary, and track any movement of such equipment during performance of the contract. The List must include:
Identification and location of any controllers, relays, sensors, pumps, actuators, Open Platform Communications Unified Architecture devices, and other industrial control system devices, as well as all the IP addresses assigned to the different hardware components, used in performance of the contract.
An explanation of whether the device is password protected and, if so, whether it can be changed.
An explanation of whether the device is accessible remotely; and
Whether multi-factor authentication is present and enabled.
When requested by the Government, submit a copy of the OT equipment list to the Government.
Submit a copy of their continuous monitoring strategy for the FIS.
For FISs categorized as FIPS Publication 199 moderate or high security impact, submit the results of: an annual independent assessment of the security of the FIS, and an annual cyber threat hunting and vulnerability assessment.
The assessment of the security of the FIS must be an independent assessment that is not conducted by the contractor.
The cyber threat hunting and vulnerability assessment may be completed by the contractor.
A small business must submit the results of both assessments, including any recommended improvements or risk mitigations identified for the FIS, to the Government.
A small business will need at least one employee within an information system occupation series to review and submit the annual assessments to the Government, as well as implement any recommended solutions resulting from the assessments.
If an entity chooses to conduct the cyber threat hunting and vulnerability assessment on their own, the entity will need at least one subject matter expert in cyber threat hunting and vulnerability assessment, as well as experience with system assessment, analysis, and audit.
Comments are due on February 2, 2024 (see extension of comment period here). Comments are due 60 days after the date of publication. Submit comments in response to FAR Case 2021-019 to the Federal eRulemaking portal at https://www.regulations.gov by searching for “FAR Case 2021-019". Select the link “Comment Now” that corresponds with “FAR Case 2021-019”. Follow the instructions provided on the “Comment Now” screen. Include your name, company name (if any), and “FAR Case 2021-019” on your attached document. If your comment cannot be submitted using https://www.regulations.gov, call or email the points of contact in the FOR FURTHER INFORMATION CONTACT section of the proposed rule document for alternate instructions.
Comments