On Oct. 3, 2023, the FAR Council released two, separate, and quite extensive proposed rules addressing new cybersecurity requirements – at least one of them applicable to most, if not all, federal contractors. Since each of the rules leaves some significant questions unanswered, should contractors wish to submit comments (seeking answers), they are due on Dec. 4, 2023. Below is a summary of the most significant terms set out in these rules:

Cyber Threat and Incident Reporting and Sharing

Expanded Definition of “Information and Communication Technology”: The FAR 2.101 definition of “Information and Communication Technology” (ICT) will change to include “[t]elecommunications services, electronic media, Internet of Things (IoT) devices, and operational technology.” The revision presumably will extend the requirements of FAR Subpart 39.2 and other FAR sections addressing ICT, such as those ensuring access for disabled individuals, to those technologies.

Shift to Internet Protocol Version 6: The rule continues the government’s transition to Internet Protocol Version 6 (IPv6), which is the latest version of the requirements for transmitting on the internet. The rule adds that all “ICT products and services must conform, at a minimum, to the IPv6 mandatory capabilities … or, if the agency Chief Information Officer (CIO) grants a waiver, provide for a product/service-specific IPv6 implementation plan.”

New Requirements To Minimize and Address Cyber Breaches: Premieres a new clause numbered FAR 52.239-ZZ, Incident and Threat Reporting and Incident Response Requirements for Products or Services Containing Information and Communications Technology, which will be applicable to all solicitations and contracts, including those below the Simplified Acquisition Threshold (SAT) and for commercial products or services, such as commercially available off-the-shelf (COTS) items.

Submission of Software Bills of Materials: The proposed clause directs contractors to submit a software bill of materials for any software used in the performance of a contract, regardless of whether there is a security incident. The submissions must occur upon the initial use of the software in the performance of the contract and have to be updated — or allow the Contracting Officer access to any updates — upon any new build or major release for that software. With the exception of timing requirements, the submissions have to comply with all of the minimum elements identified in Section IV of The Minimum Elements for a Software Bill of Materials — the current version at the time of solicitation — published by the Department of Commerce here.

Prompt Notices of Any Incident: The clause calls for contractors to report any security incident(s) in Cybersecurity and Infrastructure Security Agency’s (CISA’s) incident reporting portal within eight hours of discovery and make updated submissions every 72 hours thereafter until the contractor, the agency, and/or any investigating agencies have completed all eradication or remediation activities. This requirement would thus call on contractors to report any breaches much faster than the government currently requests for most other entities.

Broad Access for the Government to Systems and Personnel: Contractors must also provide CISA, the Federal Bureau of Investigation (FBI), the Department of Justice, and the contracting agency full access to applicable contractor information and information systems, and to contractor personnel, in response to a security incident reported by the contractor or a security incident identified by the government. The requirement leads to a lot of uncertainty as to how entities can protect themselves from waiver of Fourth Amendment protections for searches and seizures or their attorney-client privilege and work product protections which may otherwise be applicable in certain cases.

Subcontract Flow-Down Obligations: The clause carries a requirement to flow down all obligations to any lower-tier subcontractors but notes that beyond informing the government of any incident within the required timelines, subcontractors must also notify the prime contractor and any next higher-tier subcontractor within eight hours of discovering a security incident.

Foreign-Owned Vendors and Those Operating Abroad: There are no current exclusions for either foreign-owned vendors or those entities performing work outside of the United States. While the proposed rule recognizes that these requirements may conflict with other international requirements, it does not yet address the appropriate approach for resolving such conflicts. The FAR Council seeks input on this point.

Pre-Award Certifications: The new clause will be paired with provision 52.239-AA, Security Incident Reporting Representation, which will extend to all solicitations and require offerors to certify that they have submitted all of their cyber reports timely and appropriately.

Calls for Input: In recognition of the major impact of these requirements, the proposed rule also contains several questions for the industry to provide input about the effects of the requirement for bills of materials for software, potential approaches for harmonizing the various breach notification requirements that different agencies have set out, and methods of protecting contractors while providing the government access to their systems and personnel.

Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems.

Definition and Protection of Federal Information Systems: The rule focuses on protecting unclassified Federal Information Systems (FIS), which are information systems “used or operated by an agency, by a contractor of an agency, or by another organization, on behalf of an agency.” As the rule explains, its intent is to replace the current system of setting “requirements for the cybersecurity standards of unclassified FISs based [largely] on agency-specific policies and regulations.”

New FAR Terms: To that end, the rule proposes to add a new FAR subpart 39.X, “Federal Information Systems,” to prescribe policies and procedures for agencies when acquiring services to develop, implement, operate, or maintain a FIS. The rule also proposes two separate new FAR clauses for use in contracts for services to develop, implement, operate, or maintain a FIS, which the rule assumes will only affect a total of 84 contractors annually¹:

FAR Clause:	52.239-YY, “Federal Information Systems Using Non-Cloud Computing Services”	52.239-XX, “Federal Information Systems Using Cloud Computing Services”
Applicability:	Solicitations and contracts that use non-cloud computing services in the performance of the contract regardless of the dollar value or commerciality of the product or service. However, the requirements of the clause only extend to aspects of a FIS that do not involve cloud computing services.	Solicitations and contracts that use cloud computing services in the performance of the contract regardless of the dollar value or commerciality of the product or service. However, the requirements of the clause only extend to aspects of a FIS that involve cloud computing services.
Restrictions on Usage and Disclosure of Data:	Limits a contractor’s and its employees’ access to, use, and disclosure of government data, government-related data, and metadata under the contract. Requires contractors to notify the Contracting Officer promptly of any requests from a third-party for access to government data, government-related data, or any associated metadata, including any warrants, seizures, or subpoenas it receives, including those from another federal, state, or local agency. Prohibits contractors from publishing or disclosing in any manner, without the Contracting Officer’s written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the government.	Limits a contractor’s and its employees’ access to, use, and disclosure of government data and government-related data under the contract. Requires contractors to notify the Contracting Officer promptly of any requests from a third-party for access to government data or government-related data, including any warrants, seizures, or subpoenas it receives, including those from another federal, state, or local agency.
Security Assessments:	When a FIS is designated as a moderate or high impact level, the clause requires contractors: (1) to conduct, at least annually, a cyber threat hunting and vulnerability assessment to search for vulnerabilities, risks, and indicators of compromise; and (2) to perform to an annual, independent assessment of the security of each FIS. Upon completion, contractors must submit the results of an assessment, including any recommended improvements or risk mitigations, to the contracting officer, who may require the contractor to implement specific improvements or mitigations or provide the contractor with documentation of rationale for not doing so. Contractors may rely on third-party assessment organizations to perform these assessments, assuming that there are no conflicts of interest, but they will have to enter into certain confidentiality agreements with such organizations to protect federal data under the contract if they do.	N/A
Security Controls:	Contractors will be required to implement and maintain some substantial security and privacy controls necessary for contract performance as specified by the agency. If the FIS is designated as a high value asset, those may include even more burdensome controls.   Contractors will also have to: (1) develop, review, and update, if appropriate, a system security plan to support authorization of all applicable FIS, (2) have contingency plans for all information technology systems; and (3) provide the government with a copy of their continuous monitoring strategy for the FIS that demonstrates an ongoing awareness of information security, vulnerabilities, and threats in order to support risk management decisions, applies the use of automation, wherever possible; and protects vulnerability scan data, logs, and telemetry.	Contractors will be required to implement and maintain the security and privacy safeguards and controls in accordance with the FedRAMP level specified by the agency, engage in continuous monitoring activities, and provide continuous monitoring deliverables as required for FedRAMP approved capabilities. If the FIS is designated as a high value asset, contractors will also have to maintain all government data that is not physically located on United States government premises, within the United States, or its outlying areas — unless exempted.
Indemnification Requirements	The clause requires contractors to broadly indemnify the government from any liability that arises out of the performance of the contract because of the contractor’s introduction of certain information or matter into government data or the contractor’s unauthorized disclosure of certain information or material.	The clause requires contractors to broadly indemnify the government from any liability that arises out of the performance of the contract because of the contractor’s introduction of certain information or matter into government data or the contractor’s unauthorized disclosure of certain information or material.
Broad Access for the Government to Systems, Personnel, and Facilities:	Requires contractors to provide the government’s authorized representatives (including CISA, and other federal agencies as specified by the Contracting Officer) with access to government and government-related data, contractor personnel, and contractor facilities for any programs of inspection to safeguard against threats and hazards to the security (i.e., confidentiality, integrity, and availability) and privacy of government data; or for the purpose of audits, investigations, inspections, or other similar activities, as authorized by law, regulation, or the contract.	Requires contractors to provide the government’s authorized representatives (including CISA, and other federal agencies as specified by the Contracting Officer) with access to government and government-related data, contractor personnel, and contractor facilities for any programs of inspection to safeguard against threats and hazards to the security (i.e., confidentiality, integrity, and availability) and privacy of government data; or for the purpose of audits, investigations, inspections, or other similar activities, as authorized by law, regulation, or the contract.
Subcontract Flow-Down Obligations:	The substance of the clause must be included in all subcontracts issued under the contract that are for services to develop, implement, operate, or maintain a FIS using non-cloud computing services.	The substance of the clause must be included in all subcontracts issued under the contract that are for services to develop, implement, operate, or maintain a FIS using cloud computing services.

Takeaways:

Both of these proposed rules, if and once finalized, are likely to require federal contractors to pay more attention to the systems they use in performing government contracts – to better mitigate the risk of cybersecurity incidents and to improve their ability to identify and report those incidents if they do occur. Given the costly ramifications for any non-compliance and the time and cost that it takes to get any system in line with major technical upgrades, any contractors who cannot meet these requirements today should make it a priority to implement any necessary upgrades to their systems as soon as possible. Contractors also should not delay in discussing these requirements with their subcontractors, who are likely to require even more time to get up to speed. These proposed rules are not likely to become final and require compliance immediately – probably not until the next calendar year. However, given the government’s recent focus on cybersecurity, contractors who do not take these proposed changes seriously do so at their own peril.

---

¹ This estimate accounts for 28 contractors affected by the non-cloud FIS clause and 56 contractors affected by the cloud FIS clause.