The FAR Council has recently issued two crucial proposed cybersecurity rules that directly impact federal contractors. This blog post breaks down the key elements of these rules and provides a straightforward action plan for government contractors to comply. From understanding new definitions to implementing specific requirements, we outline the steps you need to take immediately to stay ahead of the curve.

Introduction

On October 3, 2023, the FAR Council issued two significant proposed rules concerning cybersecurity for federal contractors. Stemming from Biden's 2021 Executive Order, these rules focus on Cyber Threat and Incident Reporting and on Standardizing Cybersecurity Requirements. Here's a straight-to-the-point overview of what this means for you as a government contractor.

Key rules to be aware of

1. Cyber Threat and Incident Reporting (FAR Case 2021-017)

   • Applies To: Contracts using Information and Communications Technology (ICT).

   • New Definitions: Includes terms like IoT devices, Operational Technology, and Security Incident.

   • New Requirements: Software Bills of Materials (SBOM), IPv6 implementation, and CISA engagement.

   • Access and Reporting: Must grant access to CISA, FBI, and contracting agency during incidents.

2. Standardizing Cybersecurity Requirements (FAR Case 2021-019)

   • Applies To: Contracts involving Federal Information Systems (FIS).

   • New Definitions: Specifies what counts as a Federal Information System.

   • New Requirements: Includes FIPS 199 impact analysis, FedRAMP authorization for cloud services, and others.

Steps you can take

For FAR case 2021-017:

1. Review Definitions: Familiarize your team with new definitions related to ICT.

2. Prepare SBOM: Create a Software Bill of Materials for any software used.

3. IPv6 Compliance: Complete IPv6 transition as per OMB Memorandum M-21-07.

4. Collaborate with CISA: Prepare to allow CISA access for threat hunting.

For FAR case 2021-019:

1. FIS Assessment: Determine if your contracts involve Federal Information Systems.

2. Compliance Checks: Perform FIPS 199 impact analysis and multi-factor authentication setup.

3. Cloud Services: Obtain FedRAMP authorization if using cloud services.

4. Data Localization: For high-impact systems, ensure data is stored within the U.S.

Reporting and indemnification

• Incident Reporting: Must be done within 8 hours of discovery via the CISA portal.

• Indemnification: Prepare to indemnify the Government against data loss or damage.

Immediate next steps

• You are able to draft comments for the FAR Council before December 4, 2023.

• Start an internal audit to gauge current compliance levels.

• Update subcontractor agreements to include new requirements.