Cloud Hosting

The Federal Acquisition Regulation (FAR) Council has proposed two new cybersecurity rules that would impose significant obligations and risks for federal government contractors.TAKEAWAYS

On October 3, 2023, the Federal Acquisition Regulation (FAR) Council proposed two rules, Cyber Threat and Incident Reporting and Information Sharing and Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems. The proposed rules partially implement Executive Order (EO) 14028, Improving the Nations Cybersecurity, which focuses on improving the nations cybersecurity and protecting against cyber threats by revamping incident reporting, information sharing for federal contractors and implementation of related cybersecurity policies. On November 1, 2023, the FAR Council extended the comment period for these proposed rules until February 2, 2024.

As explained below, these rules are significant because they impose extensive and onerous obligations on contractors and their supply chains. In addition, both proposed rules include a statement that compliance with their respective requirements is material to eligibility and payment under Government contracts. This language strongly suggests that the government will take the position that failure to comply with these requirements could result in liability under the False Claims Act.

FAR Case 2021-017, Cyber Threat and Incident Reporting and Information Sharing

FAR Case 2021-2017 provides a new FAR clause, FAR 52.239ZZ, Incident and Threat Reporting and Incident Response Requirements for Products or Services Containing Information and Communications Technology, which will impose the following significant obligations on contractors and subcontractors, among others:

Security Incident Reporting Harmonization. Under the new rule, contractors will be required to immediately and thoroughly investigate all indicators that a security incident may have occurred, and, within eight hours of discovery, report the incident using the Cybersecurity & Infrastructure Security Agency (CISA) incident reporting portal. Contractors are also required to update the submission every 72 hours thereafter until the Contractor, the agency, and/or any investigating agencies have completed all eradication or remediation activities. Notably, these requirements are in addition to other existing cyber incident reporting requirements, such as the 72-hour reporting requirement for incidents involving controlled unclassified information contained in DFARS 252.204-7012.

Access to Contractor Information and Information Systems. Following a security incident, contractors will be required to take certain steps to support the incident response. For example, contractors will have to provide the CISA, the Federal Bureau of Investigation (FBI), the Department of Justice (DOJ) and the contracting agency full access to applicable contractor information and information systems, and to contractor personnel. Contractors will also be required to collect and preserve data and information related to the incident for at least 12 months in active storage, followed by six months in active or cold storage.

Software Bills of Materials (SBOM). For any computer software used in the performance of a contract, contractors will be required to develop and maintain a SBOM, which is defined as a formal record containing the details and supply chain relationships of various components used in building software. Contractors will be required to update the SBOM if the computer software is updated during contract performance. This requirement applies regardless of whether a security incident occurs.

FAR 52.239ZZ will be required in all contracts, including those for commercial items and those below the simplified acquisition threshold. Contractors will also be required to flow this clause down to all subcontracts throughout the supply chain that involve information and communications technology (ICT). ICT is broadly defined as information technology and other equipment, systems, technologies or processes, for which the principal function is the creation, manipulation, storage, display, receipt or transmission of electronic data and information, as well as any associated content.

FAR 2021-019, Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems

The second proposed rule aims to standardize cybersecurity policies, procedures and contractual requirements for contractors that develop, implement, operate or maintain an unclassified federal information system (FIS). An FIS is defined as an information system used or operated by an agency, contractor of an agency or another organization, on behalf of an agency.

This proposed rule creates two new FAR clausesone that applies to non-cloud FIS, FAR 52.239-YY, Federal Information Systems Using Non-Cloud Computing Services, and one that applies to cloud-based FIS, FAR 52.239-XX, Federal Information Systems Using Cloud Computing Serviceswhich are summarized below:

FAR 52.239-YY, Federal Information Systems Using Non-Cloud Computing Services

FAR 52.239-XX, Federal Information Systems Using Cloud Computing Services

In addition to the requirements above, both of these FAR clauses will require contractors to indemnify the government against any liability that arises out of the performance of the contract and is incurred because of the contractors introduction of certain information or matter into Government data or the contractors unauthorized disclosure of certain information or material. The rule also states that contractors shall agree to waive any and all defenses that may be asserted for its benefit, including (without limitation) the Government Contractors Defense. This indemnification provision may open contractors up to significant risk in the event of a data breach or other incident.

Both of these FAR clauses will apply to all contracts and subcontracts for such services, including contracts below the simplified acquisition threshold and contracts or orders for commercial products or services (including commercial off-the-shelf items).

Contractors are encouraged to review these proposed rules, assess their impact and begin preparations to develop new policies and procedures to become compliant with the new requirements. Comments on these rules are due by February 2, 2024.

[View source.]

More:
Proposed Rules Overhaul Cybersecurity Requirements for ... - JD Supra