Last week, the government announced two sets of proposed revisions to the Federal Acquisition Regulation (FAR) to improve the cybersecurity of the government’s information systems. Both sets of revisions relate to President Biden’s May 2021 Executive Order 14028 on Improving the Nation’s Cybersecurity.
First, the Department of Defense (DoD), the General Services Administration (GSA), and NASA proposed revisions to the FAR that will standardize cybersecurity requirements for unclassified federal information systems (FISs). Because government contract requirements are “largely based on agency-specific policies and regulations” that can result in “inconsistent security requirements across contracts,” the new regulations seek to harmonize the requirements across federal agencies.
And, second, DoD, GSA, and NASA proposed new cyber threat incident reporting and information sharing requirements that will be applicable to contractors under revised FAR clauses to be included in government contracts. If implemented as proposed, these regulations will require contractors to take additional steps to “[e]nsure an effective incident response [and] investigation of potential incidents” and to provide federal law enforcement agencies, in addition to “the contracting agency[,] full access to applicable contractor information and information systems, and contractor personnel, in response to a security incident reported by the contractor or a security incident identified by the Government.”
This Legal Update provides further detail on both sets of revisions.
Standardizing Cybersecurity Requirements for Federal Information Systems
Under FAR Case 2021-019, the DoD, GSA, and NASA seek to standardize cybersecurity contractual requirements across federal agencies for unclassified FISs. The aim is to better protect FISs from cyber threats. The proposed rule specifies the policies, procedures, and requirements that apply to cloud and non-cloud FISs. When an acquisition requires both cloud and non-cloud services to perform the contract, the rule would require compliance with the policies, procedures, and requirements applicable for each service approach.
The proposed rule 1) adds a new FAR subpart 39.X, “Federal Information Systems,” to “prescribe policies and procedures for agencies when acquiring services to develop, implement, operate, or maintain an FIS”; 2) adds to and revises language in FAR part 2 and 39.X using current language from statute, Office of Management and Budget memoranda and circulars, and National Institute of Standards and Technology (NIST) Special Publications guidance; 3) makes changes to FAR parts 4, 7, 37, and 39 to further implement policies and procedures described below; and 4) adds two new FAR clauses to be used in contracts to develop, implement, and operate a FIS: FAR Clause 52.239-YY, “Federal Information Systems Using Non-Cloud Computing Services,” and FAR Clause 52.239-XX, “Federal Information Systems Using Cloud Computing Services.”
The Two New Clauses
- FAR Clause 52.239-YY: FISs Using Non-Cloud Computing Services
The proposed rule will require agencies to use the Federal Information Processing Standard (FIPS) Publication 199 to identify adequate security and privacy controls when the agencies define their acquisition requirements. As part of the controls, the proposed rule would require agencies to address “multifactor authentication, administrative accounts, consent banners, Internet of Things device controls, and assessment requirements” in every applicable contract. The proposed rule also adds text to ensure that acquisition planners develop agency requirements in accordance with the rule.
Paragraph (c) of FAR Clause 52.239-YY requires the contractors to provide government representatives with “timely and full access to Government and Government-related data,” timely access to contractor personnel involved in performance of the contract, and access to any contractor facility with government data, including metadata. Paragraph (d) requires contractors with FISs considered a moderate or high FIPS Publication199 impact level to both 1) conduct an annual cyber threat hunting and vulnerability assessment and 2) perform an annual independent assessment of each FIS, submitting the results and any recommendation to the contracting officer. Paragraph (e) requires that the controls specified by the agency be based on NIST SPs 800-53, 800-213, 800-161, and 800-82. The paragraph also requires contractors to “develop, review, and update, if appropriate, an SSP to support all applicable FIS” and have contingency plans for all information technology systems aligned to NIST SP 800-34. The clause further addresses additional considerations, including cyber supply chain risk management and contractor obligations in the event of an incident, and implements a portion of the “Internet of Things Cybersecurity Improvement Act of 2020,” which precludes the procurement of an IOT device if the use of the device prevents compliance with NIST SP 800-213.
- FAR Clause 52.239-XX: FISs Using Cloud Computing Services
When planning the acquisition of services to “develop, implement, operate, or maintain an FIS using cloud computing services,” agencies will identify the FIPS Publication 199 impact level and the Federal Risk and Authorization Management Program (FedRAMP) authorization level for all applicable cloud computing services in the contract. Paragraph (c) of the clause requires contractors to “maintain security and privacy safeguards and controls in accordance with the FedRAMP level specified by the agency, engage in continuous monitoring activities, and provide those activities” as required by FedRAMP. In addition, when a system has a high FIPS Publication 199 impact, contractors must maintain “within the U.S. or its outlying areas, all Government data that is not physically located on US Government premises, unless otherwise specified in the contract.” The clause also requires the proper disposal of government and government-related data and provide confirmation to the contracting officer, among other things.
The proposed rule applies to commercial products, including commercially available off-the-shelf items, and commercial services, as the “data and systems require protection regardless of dollar value or the commerciality of the product or service.” The government believes that this rule will reduce administrative costs for contractors interested in providing FIS services. The government believes that establishing uniform requirements for the parties will help protect FISs from malicious actors and their campaigns.
Revised Cyber Threat and Incident Reporting Requirements
Under FAR Case 2021-017, several definitions of terms relevant to cyber threats will be expanded or supplemented to include current terms and technologies. For instance “information and communication technology (ICT)” will be described with additional examples that (unlike the current examples) are not primarily aimed at Section 508 of the 1973 Rehabilitation Act. Thus, examples of technologies and services to which new requirements will be applicable are “telecommunications services,” “electronic media,” “Internet of Things (IoT) devices,” and “operational technology.” These examples are intended to update reporting requirements and include newer technologies subject to increasing cyber threats.
The proposed changes regarding cyber reporting will be captured in a new FAR Clause 52.239-ZZ, “Incident and Threat Reporting and Incident Response Requirements for Products or Services Containing Information and Communications Technology.” Clause 52.239-ZZ will, in turn, be added to several FAR provisions with lists of “Standard Contract Terms Required to Implement Statutes or Executive Orders,” e.g., FAR 52.212-5 and 52.213-4. Among other things, those provisions will require the cybersecurity rules to be flowed down to subcontractors.
The new reporting regulation would impose five sets of requirements on contractors.
First, contractors would be required to develop and maintain a software bill of materials (SBOM) for any software used to perform a government contract—a requirement that would apply without regard to whether a security incident had occurred. The government believes SBOMs “can be critical in incident response, as they allow for prompt identification of any source of known vulnerability.”
Second, the proposed rule would require contractors to allow their systems to be available to government analysts and investigators. For example, contractors would be required to cooperate with the Cybersecurity and Infrastructure Security Agency (CISA) and allow its “engagement services” to access the contractor’s systems with respect to “threat hunting and incident response.” CISA would use “visibility into [a contractor’s] systems to observe adversary activity” with the goal of “driv[ing] risk reduction” across the government and its contractor community.
Third, contractors will be required to provide “full access to applicable contractor information and information systems, and to contractor personnel” to not only CISA but also the Federal Bureau of Investigation (FBI) and Department of Justice (DOJ). Such access must be provided “in response to a security incident” that the contractor suffers and reports to the government—or a concern that is “identified by the Government.” Thus, the federal government’s principal law enforcement authorities will gain “full access” to a contractor’s information systems as a result of the contractor suffering a cyber attack.
Fourth, the proposed cyber threat reporting rule imposes requirements and provides guidance regarding how to comply with cyber incident reporting requirements when operating in foreign countries. In this area, DoD, GSA, and NASA welcome input from the contractor community regarding any specific situations that contractors believe they may encounter that would affect their ability to comply with the incident reporting, incident response, or other new requirements by the government of a foreign country in which the contractor operates.
And, fifth, because compromises of ICT “can sometimes undermine Government network resilience and agency missions,” the proposed rule mandates prompt reporting of suspected security incidents. Specifically, the proposed rule would require the contractors to “immediately and thoroughly investigate all indicators that a security incident may have occurred and submit information using the CISA incident reporting portal . . . within 8 hours of discovery that a security incident may have occurred.” Contractors must then update the submission every 72 hours.
Cybersecurity threats are pervasive and serious, and contractors must be (and generally are) willing to assist the government, protect information, and report threats and incidents known to them with respect to information with which they have been entrusted. The new cyber threat requirements impose substantial additional reporting obligations and provide many federal agencies full access to contractors’ systems.
As contractors provide access to the government to help combat the threats faced, they must continue to consider their ability to provide the necessary reporting, as well as the effect of giving federal agencies unfettered access to the contractors’ information systems. Notably, the proposed revisions point out that Subparagraph (g)(i)(C) of section 2 of E.O. 14028 “recognizes the need to identify appropriate and effective protections for privacy and civil liberties.” The proposed revisions ask commenters to identify whether “there are any specific safeguards, including safeguards that would address the scope of full access or how full access would be provided, that would address [the contractor’s] concerns while still providing the Government with appropriate access to conduct necessary forensic analysis regarding security incidents.”
Comments on each proposal are due by December 4, 2023.