Reflective of the Government’s increasing focus on cybersecurity, on October 3, 2023, the Federal Acquisition Regulation Council (FAR Council) released two new proposed rules that will have major impacts on federal contractors. These rules implement the May 2021 Executive Order on Improving the Nation’s Cybersecurity.¹ One rule applies to any federal contractor that uses information and communications technology (ICT) systems in the performance of a federal contract, sets forth cybersecurity incident reporting requirements, and imposes a software bill of materials (SBOM) requirement. The other rule, which applies only to those federal contractors that provide or maintain a Federal Information System (FIS), is intended to standardize cybersecurity requirements for unclassified FISs.

FAR Case No. 2021-0017: Cyber Threat and Incident Reporting, Information Sharing, and SBOMs

This proposed rule (which the FAR Council estimates would apply to approximately 75 percent of contractors) establishes an SBOM requirement, requires very early incident reporting, and provides for the sharing of cyber threat information between the Government and industry. The proposed rule includes a new contract clause and a new representation, both of which will be mandatory for all contracts that are above the micro-purchase threshold—including contracts for commercial-off-the-shelf (COTS) products.

This proposed rule and the associated new FAR clause create new requirements for contractors and grant new powers to agencies (such as the FBI and the Cybersecurity and Infrastructure Security Agency (CISA)), including requiring contractors to:

• develop and maintain an SBOM, which the clause defines as “a formal record containing the details and supply chain relationships of various components used in building software.” An SBOM must be developed for each piece of computer software used in contract performance and must be updated each time the software is updated “with a new build or major release” during contract performance;
• report security incidents “involving a product or service provided to the Government that includes information and communications technology, or the information system used in developing or providing the product or service” using the CISA Incident Reporting System. The report to CISA must be made within eight hours of discovery that a security incident may have occurred and the CISA submission must be updated every 72 hours thereafter until eradication or remediation activities have been completed. These reporting requirements do not replace other applicable reporting requirements, including requirements of those with contracts with the Department of Defense under DFARS 252.204-7012;
• provide CISA, the FBI, and the contracting agency “full access” to impacted contractor information systems and contractor personnel;
• collect and preserve data and information that is relevant to the prevention, detection, response, and investigation of security incidents that concern information systems used in developing or providing ICT products or services to the Government;
• provide access to and cooperate with CISA engagement services related to threat hunting and incident response; and
• subscribe to the Automated Indicator Sharing capability (or successor technology) and share cyber threat indicators and defensive measures.

This proposed rule also introduces a new offeror representation that requires offerors to represent that they have submitted all security incident reports on existing contracts “in a current, accurate, and complete manner” (as required under the new contract clause described above), and that they have required each subcontractor to include certain requirements of the new proposed FAR clause (described above) in their lower-tier subcontracts.

FAR Case No. 2021- 0019: Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems

This proposed rule, which applies only to those contractors that are under contract to provide or maintain an FIS, introduces two new contract clauses—one for cloud-based FIS and the other for non-cloud (i.e., on-premises) FIS. These clauses are mandatory for any contract for the development, implementation, operation, or maintenance of an FIS, including contracts for COTS items and contracts below the simplified acquisition threshold. In addition, contractors will be required to flow down the substance of the clause in any subcontracts for services to develop, implement, operate, or maintain the FIS.

Notable features of the proposed rule and FAR clause applicable to non-cloud FIS include requirements:

• for agencies to use Federal Information Processing Standard (FIPS) Publication 199 to categorize the FIS and identify corresponding security and privacy controls;
• that agencies specify the necessary security and privacy controls under each contract, based on the relevant NIST publication,²
  • contractors will be required to develop, review, and update, if appropriate, a System Security Plan to support authorization of all applicable FIS based on the agency’s guidance and have contingency plans for all information systems that align with NIST SP 800-34, “Contingency Planning Guide for Federal Information Systems”;
• for contractors to conduct periodic assessments of FIS designated as moderate or high impact under FIPS Publication 199 and provide the results of such assessments to the contracting officer; and
• for contractors to provide full access to U.S. Government and U.S. Government-related data and contractor personnel for inspections, audits, and investigations.

The processes and requirements of the proposed rule and FAR clause applicable to cloud FIS are largely similar to those for non-cloud based, but also include requirements:

• for agencies to identify the corresponding Federal Risk and Authorization Management Program (FedRAMP) authorization level and for the contractor to implement and maintain security and privacy safeguards and controls that correspond to the FedRAMP level specified;
• for systems categorized as having FIPS Publication 199 high impact, all U.S. Government data that is not physically located on U.S. Government premises must be maintained within the U.S. or its outlying areas; and
• for contractors to provide and dispose of U.S. Government data as specified in the contract and additionally to provide confirmation of disposal to the Government.

Both clauses include a broad indemnification provision, requiring the contractor to agree to indemnify the Government for “any liability that arises out of the performance of the contract and is incurred because of the contractor's introduction of certain information or matter into Government data or the contractor's unauthorized disclosure of certain information or material.” The clauses further require the contractor to “waive any and all defenses that may be asserted for its benefit, including (without limitation) the ‘Government Contractor Defense.’” In other words, a negligence defense is not available under this indemnification provision.

Final Thoughts

As the volume and complexity of FAR clauses and representations increase, so does the opportunity for contractors to incur liability beyond breach of contract. Readers may recall that the U.S. Department of Justice (DOJ) launched a Civil Cyber-Fraud Initiative in 2021, and that the DOJ can use (and has used) the False Claims Act to hold accountable government contractors who misrepresent their cybersecurity practices or knowingly violate their obligations to monitor and report security incidents. Both proposed rules highlight this risk to contractors, by including a statement that compliance with their respective requirements “are material to eligibility and payment under Government contracts.”

Comments to the proposed rules will be accepted until December 4, 2023. In the meantime, contractors should carefully review the proposed rules and new clauses and make appropriate preparations to comply with the new requirements. 

[1] https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.

[2] The applicable controls will be based on the current versions of the following NIST publications:

• SP 800-53, “Security and Privacy Controls for Information Systems and Organizations”;
• SP 800-213, “IOT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements”;
• SP 800-161, “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”; and
• SP 800-82, “Guide to Industrial Control Systems Security.”