The FAR Council’s New Proposed Cybersecurity Rules and Where They Stand

Last October, the Federal Acquisition Regulatory (FAR) Council, an interagency body responsible for establishing procurement policies across the federal government, proposed a pair of new rules. If finalized and entered into force, these rules could dramatically impact the way federal contractors report and respond to cyberattacks and other cybersecurity incidents. 

The first proposed rule, Cyber Threat and Incident Reporting and Information Sharing—which includes clauses FAR 52.239-ZZ and FAR 52.239-AA—was issued under FAR Case 2021–017. The second rule, Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems—including FAR 52.239-XX and FAR 52.239-YY—was issued under FAR Case 2021-019. 

The issuance of these proposals on October 3 initiated a 60-day comment period that was set to close on December 4, 2023. On November 1, the FAR Council extended the comment period for the proposed rules until February 2, 2024. Since then, there have been no official updates from the FAR Council or any of the agencies that jointly administer the Federal Acquisition Regulation regarding a finalization of the rules or an effective date for their implementation. 

Due to the scope of the rules and the magnitude of responsibility they would impose on federal contractors, however, businesses should be aware of exactly what FAR Cases 2021-017 and 2021-019 entail. 

Due to the scope of the rules and the magnitude of responsibility they would impose on federal contractors, however, businesses should be aware of exactly what FAR Cases 2021-017 and 2021-019 entail. 

President Biden’s Cybersecurity Executive Order 

In May 2021, President Biden signed Executive Order 14028, lucidly titled “Improving the Nation’s Cybersecurity.” The executive order’s stated goal was to enhance various cybersecurity measures in order to protect the federal government against what the White House characterized as “persistent and increasingly sophisticated malicious cyber campaigns.” The presidential directive came in the wake of two massive and largely unprecedented cyberattacks—the 2020 hack of SolarWinds and the Microsoft Exchange data breach in early 2021. These acts of cyber espionage, perpetrated by hacker groups affiliated with major American adversaries, arguably signaled the emergence of a new era of cyberwarfare. In their aftermath, the U.S. government felt a growing sense of urgency to begin devising a broad, unified plan to fortify its data systems. 

The presidential directive came in the wake of two massive and largely unprecedented cyberattacks—the 2020 hack of SolarWinds and the Microsoft Exchange data breach in early 2021.

President Biden’s executive order charged the federal government with bringing to bear “the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid.” The order specifically called for new cyber incident protocols between the government and federal contractors, the modernization of cybersecurity infrastructure through secure cloud services and zero trust architecture, and standardizing responses to cybersecurity threats across all federal agencies, among other mandates. 

The new rules proposed by the FAR Council this past October represent a furthering of the effort to implement the 2021 executive order. By strengthening and expanding the reporting requirements for federal contractors following cyber incidents, the FAR Council hopes to create the conditions for more agile, proactive government responses to cyberattacks and other nefarious threats to national security. 

By strengthening and expanding the reporting requirements for federal contractors following cyber incidents, the FAR Council hopes to create the conditions for more agile, proactive government responses to cyberattacks and other nefarious threats to national security. 

FAR Case 2021-017: Scope and Cybersecurity Requirements 

There are two clauses in the first proposed rule: FAR 52.239-ZZ and FAR 52.239-AA. Both would introduce new responsibilities for federal contractors, either in direct response to a cyber incident or in the form of precautionary measures in the event that one does occur. 

FAR 52.239-ZZ 

The official language for FAR 52.239-ZZ is “Incident and Threat Reporting and Incident Response Requirements for Products or Services Containing Information and Communications Technology.” FAR 52.239-ZZ seeks to update and enhance the contractual obligations on federal contractors following security incidents. It does this by proposing new requirements for responding to security incidents in a timely and comprehensive fashion; cooperating with government agencies investigating such incidents; and maintaining any files, records, and other documentation that could aid in the incident response process.

According to the proposal, a “security incident” encompasses more than just cyberattacks and other cybersecurity incidents. The FAR Council also uses the term to refer to more general violations of the law, security policies, or security procedures, as well as the transfer of classified information or controlled unclassified information (CUI) to any information system below authorized government security levels. 

• Incident Reporting Timeline

FAR 52.239-ZZ updates the time period contractors have for reporting security incidents to the government. Under the new rule, contractors are obligated to report these incidents, along with any relevant accompanying information, through the Cybersecurity and Infrastructure Security Agency’s (CISA) incident reporting portal within eight hours of the incident’s initial discovery. Further, the submission must be updated every 72 hours thereafter until all government agencies have completed their investigations. 

Reporting incidents in such a timely fashion supports government agencies and their teams in carrying out the most effective, dynamic responses possible. As the proposed rule explains, swift reporting and consistent updates aid investigators in conducting “rapid data analysis to promptly identify activity and actions of malicious actors, threats, and indicators of compromise.”

• Further Actions Supporting Government Incident Response 

In addition to reporting security incidents through the CISA portal within the prescribed time frame, contractors must also participate in several other activities that help facilitate the government’s threat response. First, covered parties are obligated to provide the CISA, FBI, and/or contracting agency with complete access to all relevant information, information systems, and personnel in the immediate wake of a security incident. 

Federal contractors are also responsible for preserving any and all data related to the reported security incident. This includes keeping network traffic data, perimeter defense logs, telemetry, and other relevant information in active storage for 12 months, followed by an additional six months in active or cold storage. 

Finally, the new FAR rule would require contractors to subscribe to CISA’s Automated Indicator Sharing (AIS) program for the purposes of communicating cyber threat indicators and recommended defense measures. (Contractors are responsible for engaging with the AIS platform regardless of whether a security incident has occurred.) 

• Software Bill of Materials

Beyond the response and reporting requirements, FAR 52.239-ZZ introduces new responsibilities for federal contractors to maintain a software bill of materials (SBOM) that includes any software used for work performed under the federal contract. The government defines an SBOM as a “formal record containing the details and supply chain relationships of various components used in building software.” According to the Department of Commerce, SBOM data “improves both vulnerability identification and the speed of response,” and “using it to identify and analyze known vulnerabilities and potential mitigations are crucial in managing risk.”

Notably, contractors are responsible for maintaining SBOMs under all circumstances, including when there is no known security incident. They’re also required to modify their SBOMs if and when the computer software they’re utilizing is updated during the performance of a contract. A more complete accounting of all the requirements for SBOMs and their maintenance during the fulfillment of federal contracts can be found through the Department of Commerce’s Minimum Elements for a Software Bill of Materials. 

FAR 52.239-AA 

The second clause in Case 2021-017, FAR 52.239-AA, is significantly more finite and specific. Titled “Security Incident Reporting Representation,” it requires all aspiring contractors making an offer to the federal government to certify that they have historically complied with FAR 52.239-ZZ. This includes representing that they have submitted all requisite security incident reports under any past and existing contracts in a “current, accurate, and complete manner.” 

The rule further obligates all offerors to attest that they have flowed down the rule in previous contracts by requiring all lower-tier subcontractors to include the substance of the rule in their subcontracts. 

FAR Case 2021-019: Scope and Cybersecurity Requirements 

The FAR Council issued the second proposed rule, Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems, under Case 2021-019. The express objective of this rule is to standardize cybersecurity requirements across federal agencies, with a particular focus on unclassified federal information systems (FIS). Case 2021-019 is split into two clauses whose delineations are largely self-explanatory. The first is FAR 52.239-XX, “Federal Information Systems Using Cloud Computing Services,” and it covers FIS that are cloud-based. The second is FAR-52.239-YY, “Federal Information Systems Using Non-Cloud Computing Services,” and the clause encompasses all FIS that do not utilize cloud computing systems. 

The federal government defines a federal information system as an “information system used or operated by an agency, by a contractor of an agency, or by another organization, on behalf of an agency.”

FAR 52.239-XX 

This clause would require agencies to determine the impact level of a contractor’s cloud-based information system using the Federal Information Processing Standard Publication 199 (FIPS-199), as well as the corresponding Federal Risk and Authorization Management Program (FedRAMP) authorization level. According to the proposed rule, agencies will need to arrive at a FIPS-199 level determination based on “impact analysis of the information processed, stored, or transmitted by the system.” Once these levels are established, the federal contractor will then be required to implement and maintain the security and privacy safeguards associated with its FedRAMP authorization level. 

In addition to these security guardrails, FAR 52.239-XX also requires contractors to participate in ongoing monitoring activities and furnish monitoring deliverables as specified in the “FedRAMP Continuous Monitoring Strategy Guide.” Finally, contractors must adhere to all specific contractual requirements regarding providing and disposing of government and government-related data. 

FAR 52.239-YY 

The requirements introduced by the clause for non-cloud-based federal information systems are slightly more complicated. Like FAR 52.239-XX, agencies will be responsible for utilizing FIPS-199 to determine the appropriate impact level and specify that level in the contract. In addition to arriving at these levels, agencies and their contracting officers will also have to address a variety of other specific security issues, including multifactor authentication, administrative accounts, consent banners, and Internet of Things device controls. Officers are finally required to select an appropriate set of security and privacy safeguards based on an array of special publications issued by the National Institute of Standards and Technology. These include NIST SP 800-53, NIST SP 800–213, NIST SP 800–161, and NIST SP 800–82. 

In addition to the new security requirements agencies must include in contracts for FIS using non-cloud computing systems, the clause also imposes two important new responsibilities on federal contractors. First, they must provide CISA and other government agencies specified by the contracting officer with “timely and full access” to government and government-related data and personnel for audits, investigations, and inspections when such measures are deemed critical to data security. Next, any FIS assessed a moderate or high FIPS-199 impact level must carry out two annual assessments. The first is an internal assessment focused on gauging “vulnerabilities, risks, and indicators of compromise,” while the second must be an independent review of the security of their information system. Contractors are responsible for submitting the results of these annual assessments—including recommended mitigation measures—to their contracting officers. 

Indemnification Obligations 

Each of these clauses—FAR 52.239-XX and FAR 52.239-YY—includes a provision requiring federal contractors to indemnify the government from any liability stemming from their performance of the contract. The proposed rule suggests that such liabilities would primarily arise out of two scenarios: either from the contractor introducing information or matter to government data, or the contractor’s unauthorized disclosure of sensitive information or material. Crucially, the proposal also requires contractors to waive “any and all defenses that may be asserted for its benefit, including (without limitation) the ‘Government Contractors Defense.’” This obligatory waiver imposes significant liability on contractors if and when a cyberattack, data breach, or other security incident occurs. 

Preparing for the New Cybersecurity Requirements 

It does not appear as though an effective date for these two cybersecurity rules is imminent. Following the public comment period—which was extended to February 2—the agencies comprising the FAR Council and those responsible for administering FAR must review and analyze the comments. Only after this period of analysis will they determine whether or not to publish a final rule. If issued, a final rule would initiate a timetable of at least 60 days before the regulation becomes effective. (Depending on the significance of the rule, this timeline could also extend to 120 days or longer.)

Given the length and steps involved in the regulatory rulemaking process, federal contractors have some breathing room to assess FAR Cases 2021-017 and 2021-019 and the raft of new obligations they could theoretically impose.Those businesses covered by these proposed regulations, however, should be taking the prospect of their implementation very seriously. Given the recent surge of devastating cyberattacks and President Biden’s 2021 executive order, there is no reason to doubt that these new cybersecurity mandates—or prescriptions very much like them—will become regulatory law in the near future.

Given the length and steps involved in the regulatory rulemaking process, federal contractors have some breathing room to assess FAR Case 2021-017 and FAR Case 2021-019 and the raft of new obligations they could theoretically impose.