Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Four – Cybersecurity Federal Acquisition Regulation (FAR) Updates

The federal government has continued its efforts to fulfill the requirements set forth in Executive Order 14028, Improving the Nation’s Cybersecurity. For companies that do business with the Federal government, beyond looking at the other issues raised in this series of posts (see here, here and here), these efforts will be important to keep in mind in 2023. There are three efforts underway by the FAR Council to amend the Federal Acquisition Regulations (FAR) related to the Executive Order (in addition to the Secure Software efforts discussed in Part Three).

• Cyber Threat and Incident Reporting and Information Sharing – new provisions will require information technology and operational technology service providers to collect and preserve information related to cybersecurity incidents on federal information systems and report relevant information to the federal government. These requirements may impose a tight timeline similar to the 72-hour incident reporting requirement currently in the DFARS. OMB received a proposed FAR rule in December 2022; if approved we may see proposed language this year.
• Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems – the federal government currently is undergoing an effort to standardize cybersecurity contractual requirements across Federal agencies for unclassified Federal information systems. It is unclear how or if this clause would impact ongoing federal efforts to adopt the Controlled Unclassified Information (CUI) Program managed by National Archives Records Administration (NARA), which is also pending at OMB. These requirements may be similar to the DoD CUI requirements reflected in the DFARS. OMB received a proposed FAR rule in December 2022; if approved we may see proposed language this year. 
• Establishing FAR Part 40 – this is an effort to amend the FAR to create a new FAR part, Part 40, which will be the single, consolidated location for cybersecurity supply chain risk management requirements. It is unclear at this point which FAR clauses will be included in this section. OMB listed this proposed FAR measure in the “Final Rule Stage” and tentatively anticipates it will be finalized this spring.

Putting it Into Practice – What to expect in 2023: We continue to monitor for updates to the FAR. However, contractors and suppliers can begin preparing for additional requirements for safeguarding controlled unclassified information and cybersecurity incident reporting by reviewing current requirements in the DFARS and related guidance.