FAR Cyber compliance proposal: Requirements and Implications

Department of Defense (DoD), General Services Administration (GSA), and NASA proposed a set of changes to the Federal Acquisition Regulation (FAR) to implement the requirements originating from EO14028.
Interlynk
October 16, 2023

Executive Order 14028 — Executive Order on Improving the Nation’s Cybersecurity — kicked off a series of actions with the goals of:

  • improving information sharing between the Government and private sector,
  • modernizing and strengthening cybersecurity standards in Federal agencies and
  • improving the software supply chain

On October 3rd, the Department of Defense (DoD), General Services Administration (GSA), and NASA proposed a set of changes to the Federal Acquisition Regulation (FAR) to implement the requirements originating from EO14028.

These requirements are open for written comments until December 4th, 2023.

Proposed changes create new compliance obligations for a large number of federal contractors.

Let’s dig in!

What are the requirements?

The requirements are part of two separate FAR cases:

  1. FAR Case 2021–017: Cyber Threat and Incident Reporting and Information Sharing
  2. FAR Case 2021–019: Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems

1. Cyber Threat and Incident Reporting and Information Sharing

This rule proposes “Incident and Threat Reporting and Incident Response Requirements” on products and services containing “Information and Communications Technology” (ICT).

Security Incident Reporting Requirements

This proposal requires that:

  • Contractors (and sub-contractors) must immediately and thoroughly investigate all indicators that a security incident may have occurred.
  • Submit the information to the Cybersecurity and Infrastructure Security Agency (CISA) within eight hours of discovery.
  • Provide an update to CISA every 72 hours until resolution of the incident.
  • Collect and preserve incident, detection, prevention, response, and investigation-related data for at least 12 months in active storage followed by six months in active or cold storage and share it with the Government if requested by the contracting officer.

A Security Incident is defined as an actual or potential occurrence of the following:

  • Any event or series of events which pose(s) actual or imminent jeopardy, without lawful authority, to the integrity, confidentiality, or availability of information or an information system or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies
  • Any malicious computer software discovered on an information system or
  • Transfer of classified or controlled unclassified information onto an information system not accredited ( i.e., authorized) for the appropriate security level.

Incident Reporting Representation Requirements

This proposal requires all solicitations and contracts to represent that the offerors have submitted all security incident reports in a current, accurate, and complete manner and have required sub-contractors to comply with the same in their subcontract.

SBOM Requirements

Contractors must maintain — and provide to the Government — an SBOM for “each piece of computer software used in the performance of the contract,” in a machine-readable, industry-standard format complaint with NTIA’s The Minimum Elements for a Software Bill of Materials.

The SBOM must be up-to-date with each new build or major release and must be filed with the contracting officer for each such change. This includes computer software builds to integrate an updated component or dependency.

Contractor Information Systems Access Requirements

This change requires that in response to a security incident reported by the contractor or identified by the Government, the contractor may be asked and must provide full access to CISA, FBI, and the contracting agency full access to applicable contractor information and information systems, as well as to the contractor personnel.

2. Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems

This change proposes standardized cybersecurity policies, procedures, and requirements for Federal Information Systems (FIS). Therefore, this proposal expands to two new FAR clauses for FISs Using Cloud and Using Non-Cloud Computing services.

A. FISs Using Non-Cloud Computing Services

This requires agencies to use the Federal Information Processing Standard (FIPS) Publication 199 to categorize the impact level of information processed, stored, and transmitted in the system.

For moderate/high impact levels, FIS contractors must

  • perform annual cyber threat hunting, vulnerability assessment, and search for indicators of compromise
  • perform an independent assessment of the security of each FIS.
  • implement the recommended improvement or mitigation as required by the contracting officer
  • refer to controls from NIST SPs 800–53, 800–213, 800–161, and 800–82

B. FISs Using Cloud Computing Services

For cloud-based services, the contractor must

  • implement FedRAMP-based controls and safeguards
  • implement continuous monitoring and report as required by FedRAMP
  • implement proper disposal of Government and related data

Who is affected?

The reporting requirements apply to all contractors (and sub—contractors) that include Information and Communication Technology (ICT) or the information system used in developing or providing the product or service offered to the Government.

The FAR Council assumes that 75% of all entities are awarded contracts that include some ICT.

Implications

The proposed rules are open for public comment and are subject to clarification and changes. However, the proposal underscores the commitment to stricter cybersecurity requirements and “harmonizing” cybersecurity regulations across federal agencies.

Specifically:

  1. Cybersecurity obligations are not for large contracts only and will move from federal contractors to subcontractors (‘software supply chain’ when the subcontract is building part of the product)
  2. The definition and scope of “security incident” reporting requirements are expanding and are expected to create implementation questions and challenges depending on the size of the contractor and its agency.
  3. SBOM will become a crucial part of selling the software to the Government. Given that NTIA’s Minimum Element is up for revision, the SBOM requirements will likely continue to evolve.
  4. These rules increase the Government’s right to contractor’s data and are likely to run into legal concerns over privacy.
  5. Inaccurate representation of cyber incidents or related cyber data is increasingly the risk of liability. When combined with ‘full access’ for new security incidents, even the historic misrepresentation can remain a concern for the contractors.

Interlynk is making security disclosure easy, obvious, and automated. We are happy to answer any questions you might have. Feel free to reach out to us at hello@interlynk.io or via interlynk.io

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Interlynk automates your SBOM compliance needs without compromising control or privacy.

Company
AboutTermsPrivacy
© 2023 Interlynk Inc. All Rights Reserved.