The Federal Acquisition Regulatory (FAR) Council on Oct. 3, 2023, issued two proposed rules to partially implement President Biden’s Executive Order on Improving the Nation’s Cybersecurity.1 The first proposed rule imposes security incident reporting requirements on federal contractors, whereas the second aims to standardize cybersecurity contractual requirements for unclassified federal information systems. The proposed rules, as drafted, will have a major impact on contractors and come at a time when cybersecurity concerns are front of mind for the government.
Cyber Threat and Incident Reporting and Information Sharing (FAR Case 2021-017)
Make no mistake: The federal government takes cyber incident reporting and information sharing very seriously. Indeed, the preamble of the proposed rule states that compliance with the requirements of the proposed rule are considered “material to eligibility an payment under Government contracts” – a not-so-subtle reference to recent court cases that allowed for implicit certifications as a basis for False Claims Act cases. So, what exactly is in the proposed rule? Let’s dive in.
The rule proposes a new FAR clause, FAR 52.239-ZZ, Incident and Threat Reporting and Incident Response Requirements for Products or Services Containing Information and Communications Technology, and a correspondence solicitation provision, FAR 52.239-AA, Security Incident Reporting Representation. The clause would be required in all solicitations and contracts (yes, including solicitations and contracts below the simplified acquisition threshold (SAT) and those for commercial items), and contractors would be required to flow the clause down, in its entirety, to all subcontracts where information and communications technology (ICT) “is used or provided in performance of the subcontract[.]”
Security Incident Reporting: Under the proposed rule, contractors would be required to “immediately and thoroughly investigate all indicators that a security incident may have occurred” and submit information to the CISA within eight hours of discovery. Notably, the rule defines a “security incident” as the “actual or potential” occurrence of the following:
- any event or series of events, which pose(s) actual or imminent jeopardy, without lawful authority, to the integrity, confidentiality, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies
- any malicious computer software discovered on an information system or
- transfer of classified or controlled unclassified information onto an information system not accredited (i.e., authorized) for the appropriate security level
After reporting the incident to the Cybersecurity and Infrastructure Security Agency (CISA) within eight hours, contractors must then update the information provided every 72 hours thereafter until all eradication or remediation activities have been completed. For cyber incidents involving specific types of information (e.g., controlled unclassified information), any separate/standalone reporting requirements still apply – this rule does not subsume other cyber incident reporting requirements, such as those required by DFARS 252.204-7012.
Supporting Incident Response: The proposed FAR clause would impose several requirements on contractors to support security incident responses, including the preservation and protection of data, development and maintenance of customization files, and development and maintenance of a software bill of materials (SBOM) for “each piece of computer software” used in contract performance.
- Data Preservation and Protection: The draft FAR clause requires the collection and preservation of data and information relevant to security incident prevention, detection, response and investigation within information systems used in developing or providing ICT products or services to the government. Contractors would be required to preserve the data for “at least 12 months in active storage followed by 6 months in active or cold storage.”
- Customization Files: The rule proposes a requirement that contractors develop, store, and maintain – throughout the life of the contract and for at least one year thereafter – an “up-to-date collection of customizations that differ from manufacturer defaults on devices, computer software, applications, and services” for all information systems used in developing or providing an ICT product or service to the government. Such customization files include configuration files, logic files and settings on web and cloud applications.
- SBOMs: The clause includes a requirement that contractors develop and maintain a software bill of materials (SBOM), defined as “a formal record containing the details and supply chain relationships of various components used in building software[,]” for “each piece of computer software” used in contract performance, regardless of whether there is a security incident. The contractor must update the SBOM if the computer software is updated “with a new build or major release” during contract performance.
Incident and Damage Assessment Activities: If the government elects to conduct an incident or damage assessment regarding a security incident, the contractor must “promptly” provide the government SBOMs, customization files, and data and information relevant to security incident prevention, detection, response and investigation discussed above.
Malicious Computer Software: In the event a contractor discovers malicious computer software in connection with a security incident, the contractor must submit the malicious code samples or artifacts to CISA within eight hours of discovery. This requirement is in addition to the security incident reporting requirement discussed above (which also must occur within eight hours).
Access, Including Access to Additional Information or Equipment Necessary for Forensic Analysis: The proposed rule would also require the contractor to give CISA, the FBI and the contracting agency “full access” to applicable contractor information systems and contractor personnel in response to any reportable or identified security incident. “Full access,” as defined by the draft FAR clause, means for contractors information systems used in contract performance, or which support contract performance:
- physical and electronic access to contractor networks, systems, accounts dedicated to government systems, other infrastructure housed on the same computer network and other infrastructure with a shared identity boundary or interconnection to the government system
- provision of all requested government data or “Government-related data” including images, log files, event information and statements of contractor employees describing what they witnessed or experienced in connection with the contractor’s performance
Cyber Threat Indicators and Defensive Measures Reporting: The proposed rule would require contractors, during contract performance, to subscribe to the Automated Indicator Sharing (AIS) capability (or successor technology) and share cyber threat indicators and defensive measures.
Internet Protocol Version 6 (IPv6): Finally, for any ICT provided to the government that uses internet protocols, contractors will be required to implement IPv6 (as specified in NIST SP 500-267B) and provide the contracting officer a copy of or access to the corresponding supplier’s declaration of conformity, a standardized format to document the USGv6 capabilities supported by a specific product or set of products, and traceability back to the accredited laboratory that conducted the tests.
Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems (FAR Case 2021-019)
The second rule aims to provide a minimum set of cybersecurity standards and contractual requirements to be applied consistently to federal information systems (FIS) (i.e., information systems used or operated by or on behalf of federal agencies). As with the Incident Reporting and Information Sharing proposed rule, this rule also “underscores that compliance with these requirements is material to eligibility and payment under Government contracts.”
The proposed rule specifies the policies, procedures and requirements that apply for contracts to develop, operate or maintain an FIS, depending on the service approach (utilization of cloud computing services, services other than cloud computing services or a hybrid approach) and includes two new FAR clauses: FAR 52.239-YY, Federal Information Systems Using Non-Cloud Computing Systems, and FAR 52.239-XX, Federal Information Systems Using Cloud Computing Services.
Federal Information Systems Using Non-Cloud Computing Services: The FIS Non-Cloud Computing Services FAR clause would be required in solicitations and contracts when acquiring FIS services that use, or are anticipated to use, non-cloud computing services in contract performance. The contractor would be required to flow the clause down to all subcontracts for FIS services using other than cloud computing services.
FIPS Publication 199 Assessments: The proposed rule directs agencies to use Federal Information Processing Standards (FIPS) Publication 199 to categorize the FIS based on its impact analysis of the information processed, stored or transmitted in the system. When an FIS is designated as a moderate or high FIPS Publication 199 impact level, the proposed FAR clause would require contractors to annually 1) conduct a cyber threat hunting and vulnerability assessment to search for vulnerabilities, risks and indicators of compromise, and 2) perform an independent assessment of the security of each FIS. After submitting the results to the contracting officer, the agency may require the contractor to implement the recommended improvement or mitigation (though the proposed rule, as drafted, does not include a provision entitling the contractor to an equitable adjustment).
Specification of Additional Security and Privacy Controls: Additionally, agencies are to specify the security and privacy controls necessary for contract performance. Such controls are to be based on relevant NIST Special Publications. Contractors will be required to develop, review and update a System Security Plan and have contingency plans for all information technology systems aligned with NIST SP 800-34. Where an information system is designated as a “high value asset” by the agency (as per OMB Memorandum M-19-03), contractors must adhere to additional security and privacy controls.
Indemnification: Under the proposed rule, contractors would be required to indemnify the government from “any liability that arises out of the performance of the contract and is incurred because of the contractor’s introduction of certain information or matter into Government data or the contractor’s unauthorized disclosure of certain information or material.” Notably, the draft FAR clause provides that the contractor “agrees to waive any and all defenses that may be asserted for its benefit, including (without limitation) the ‘Government Contractor Defense.'” This waiver creates a strict liability standard and eliminates any negligence defense on the contractor’s part.
Additional Considerations: The draft FAR clause also requires contractors to apply NIST SP guidance on various topics when performing or managing certain activities related to the FIS and to provide the government a copy of their “continuous monitoring strategy” for the FIS that demonstrates “an ongoing awareness of information security, vulnerabilities, and threats in order to support risk management decisions[.]”
Notifiable Incident Reporting, Incident Response and Threat Reporting: The draft FAR clause cross-references the Incident and Threat Reporting and Incident Response Requirements proposed FAR clause (discussed above) for guidance on handling security incidents and cyber threat reporting.
Other Protections: The draft FAR clause limits the contractor’s access, use and disclosure of government data, government-related data and any associated metadata unless specifically authorized. When authorized, such access, use or disclosure must be for purposes specified in the contract or order only. Contractors will be required to notify the contracting officer of any requests from third parties for access to such data, including those from other federal, state or local agencies.
Cryptographic Key Services: If the contract requires the contractor to provide cryptographic key services (i.e., an encryption algorithm), the contractor must provide the agency the applicable key material and services; however, the government reserves the right to implement and operate its own cryptographic key services.
Operational Technology Equipment List: The draft FAR clause requires contractors to develop and maintain a list of the physical location of all operational technology equipment within the boundary for the non-cloud FIS and provide a copy to the government upon request.
Federal Information Systems Using Cloud Computing Services: The requirements applicable to FIS services using cloud computing services largely follow the requirements applicable to FIS using non-cloud computing services. The proposed rule contains additional safeguard and control requirements (in accordance with FedRAMP) and specifies appropriate disposal methods for government data and government-related data.
These two new proposed rules, if adopted in their current form, will dramatically change the compliance and reporting landscape for government contractors across industries. Interested parties can comment until Dec. 4, 2023.
Contractors should pay close attention to the development of this rule and, because of the long lead time for compliance, should start to understand the rule and prepare to comply.
1 E.O. 14028, 86 Fed. Reg. 26633.