New FAR Cybersecurity Requirements for Federal Contractors

Christopher Slottee, Stephen Sullivan
Schwabe, Williamson & Wyatt PC
Contact
LinkedIn
Facebook
X
Send
Embed

Schwabe, Williamson & Wyatt PC

This is an advisory update of key responsibilities for contractors under a proposed new Federal Acquisition Regulation (FAR) rule that standardizes cybersecurity requirements for a Federal Information System (FIS). The Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) issued this proposed new rule on October 3, 2023. If adopted, this new rule will apply if you are awarded a contract to develop, operate, or maintain an unclassified FIS on behalf of an agency. The proposed rule aims to standardize and streamline cybersecurity requirements for FIS across agencies. It would require two new FAR clauses in applicable contracts for an FIS that uses: cloud computing services (52.239-XX) and non-cloud computing services (52.239-YY).

Here is a summary of key compliance areas that federal contractors subject to the new rule will need to address:

  • Implement security controls based on the Federal Information Processing Standard (FIPS) 199 impact categorization (low, moderate, high) of the system and guidelines in National Institute of Standards and Technology (NIST) SP 800-53, 800-161, 800-82. For cloud systems, comply with Federal Risk and Authorization Management Program (FedRAMP) security requirements.
  • Develop, review, and update a System Security Plan that describes how security requirements are implemented. Provide a copy to the agency upon request.
  • For moderate/high impact systems, conduct annual independent assessments—penetration testing and cyberthreat hunting. Submit results and recommendations to the contracting officer.
  • Provide a continuous monitoring strategy that maintains ongoing awareness of vulnerabilities and threats, and applies automation where possible. Make the strategy available to the agency upon request.
  • Develop and maintain a list of the physical location(s) of operational technology equipment. Update for any changes and provide a copy to the agency upon request.
  • Comply with applicable Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directives that are relevant to the system.
  • Follow limitations on access to and use of government data. Notify the contracting officer of any third-party requests for access to data.
  • For cloud services, high-impact systems must maintain data within the U.S. unless an exception is granted. Dispose of data as specified in the contract.

Comments on the proposed rule are due by December 4, 2023, and may be submitted using the Federal eRulemaking portal at: https://www.regulations.gov and searching for “FAR Case 2021–019.”

Please consult your legal advisor for any additional questions about these cybersecurity compliance responsibilities.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Schwabe, Williamson & Wyatt PC | Attorney Advertising

Written by:

Schwabe, Williamson & Wyatt PC
Schwabe, Williamson & Wyatt PC
Contact
more
less

Schwabe, Williamson & Wyatt PC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide