The FAR Council submitted a proposed rule amending FAR subparts, provisions, and clauses on October 3, 2023, to implement an Executive order on cyber threats, incident reporting, and information sharing for Federal contracts. This revision is being made to strengthen and standardize contractual requirements for cybersecurity across Federal agencies. The proposed rule also implements OMB Memorandum M-21-07 Completing the Transition to internet Protocol Version 6 (IPv6), dated November 19, 2020.
Major Changes in the Proposed Rule
The FAR 2.101 definition for “Information and communication technology (ICT)” has been updated to include additional examples such as telecommunications services, electronic media, Internet of Things (IoT), and operational technology, as well as revising the term “software” to “computer software.”
A new provision, FAR 52.239-AA Security Incident Reporting Representation, is proposed. This provision will require offerors to certify that they have submitted all security incident reports in a current, accurate, and complete manner.
A new clause, FAR 52.239-ZZ Incident and Threat Reporting and Incident Response Requirements for Products or Services Containing Information and Communications Technology is proposed. Additionally, FAR 52.244-6 Subcontracts for Commercial Products and Services has a proposed update to require higher-tier contractors to flow this clause down in commercial subcontracts. Subcontractors will be required to notify the prime Contractor/higher tier subcontractor within 8 hours of discovering a security incident.
In addition to the proposed provisions/clauses above, the proposed rule includes the following contractor requirements:
- Develop and maintain a software bill of materials (SBOM) for any software used in the performance of the contract.
- Cooperate by providing access to the Cybersecurity and Infrastructure Security Agency (CISA) engagement services as needed for threat hunting and incident response.
- Provide full access to applicable contractor information systems and personnel to CISA, the Federal Bureau of Investigation (FBI), and the contracting agency in response to a security incident reported by the contractor or identified by the Government.
- Report security incidents and take actions to support incident response. Contractors operating in certain foreign countries may be subject to laws and regulations of those countries impacting the type of information or access that can be provided to the U.S. Government.
- Immediately investigate the security incident and submit information via the CISA incident reporting portal within 8 hours of discovery, with updates every 72 hours until investigation or remediation activities are complete.
While some of the requirements in the proposed rule will have to be performed whether you have a cyber incident or not (e.g., certification, flow down to subcontractors, develop SBOM, etc.), contractors should ensure they have controls in place to prevent cyber incidents so they don’t have all the other reporting and access requirements.
Government Contractor Takeaways
Redstone recommends contractors begin developing a software bill of materials for any software used in performing contracts. In addition, contractors should ensure they have controls in place to prevent cyber-attacks. Redstone recommends companies assess their current information systems to ensure there are threat detection controls in place, such as multi-factor authentication including passwords, fingerprints, facial or voice recognition, employee access is limited on information systems, software, and operating systems are up to date, and a backup process is implemented in the event of a cyber-attack.
Contractors should develop and maintain an incident response plan, define roles, and include steps to resolve, document, and communicate a cyber incident efficiently and properly. Small businesses that don’t have information technology (IT) staff may need to obtain outside assistance to meet the requirements. 8 hours is not much time.
Comments to the proposed rule are due by December 4, 2023. The proposed rule includes questions that DoD, GSA, and NASA are requesting contractor input on (e.g., how should SBOMs be collected from contractors, challenges by contractors in developing SBOMs, concerns with providing CISA, FBI, or contracting agency full access to information, situations where a company cannot comply with the incident reporting due to foreign country laws, etc.). Redstone recommends contractors read the proposed rule and submit comments. It is rare that the FAR council requests input to specific areas vs. comments in general.
Redstone GCI can provide our clients with more information and guidance in working with established industry-leading partners who can assist in fulfilling numerous cybersecurity compliance requirements, including but not limited to penetration testing, incident response, security assessments, and POA&M revolving around the information technology infrastructure as well as develop software bills of material (SBOMs). Redstone GCI, along with our trusted partners, can bring you a full solution by ensuring cyber security policy and flow-down requirements revolving around all aspects are accomplished, including but not limited to purchasing policy requirements.
Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting