E Point Perfect
Law \ Legal

Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Four – Cybersecurity Federal Acquisition Regulation (FAR) Updates


The federal government has continued its efforts to fulfill the requirements set forth in Executive Order 14028, Improving the Nation’s Cybersecurity. For companies that do business with the Federal government, beyond looking at the other issues raised in this series of posts (see here, here and here), these efforts will be important to keep in mind in 2023. There are three efforts underway by the FAR Council to amend the Federal Acquisition Regulations (FAR) related to the Executive Order (in addition to the Secure Software efforts discussed in Part Three).

  • Cyber Threat and Incident Reporting and Information Sharing – new provisions will require information technology and operational technology service providers to collect and preserve information related to cybersecurity incidents on federal information systems and report relevant information to the federal government. These requirements may impose a tight timeline similar to the 72-hour incident reporting requirement currently in the DFARS. OMB received a proposed FAR rule in December 2022; if approved we may see proposed language this year.
  • Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems – the federal government currently is undergoing an effort to standardize cybersecurity contractual requirements across Federal agencies for unclassified Federal information systems. It is unclear how or if this clause would impact ongoing federal efforts to adopt the Controlled Unclassified Information (CUI) Program managed by National Archives Records Administration (NARA), which is also pending at OMB. These requirements may be similar to the DoD CUI requirements reflected in the DFARS. OMB received a proposed FAR rule in December 2022; if approved we may see proposed language this year. 
  • Establishing FAR Part 40 – this is an effort to amend the FAR to create a new FAR part, Part 40, which will be the single, consolidated location for cybersecurity supply chain risk management requirements. It is unclear at this point which FAR clauses will be included in this section. OMB listed this proposed FAR measure in the “Final Rule Stage” and tentatively anticipates it will be finalized this spring.

Putting it Into Practice – What to expect in 2023: We continue to monitor for updates to the FAR. However, contractors and suppliers can begin preparing for additional requirements for safeguarding controlled unclassified information and cybersecurity incident reporting by reviewing current requirements in the DFARS and related guidance.


Source link

Related posts


Salmonella tainted mushrooms recalled – LexBlog

Microsoft Invests Ten Billion Dollars in OpenAI’s ChatGPT

New Stablecoins, Cryptocurrency Products and NFT Initiatives Launch; Ukraine Sells Donated NFT; SEC and OSC Bring Crypto Enforcement Actions

Prince’s $156M estate finally settled after 6-year court battle

Serving on a Non-Profit Board: Putting Yourself in Their Shoes