Almost 10 years after the Department of Defense (DoD) established rules that require mandatory reporting of cyber incidents, the Federal Acquisition Regulation (FAR) Council recently released a pair of proposed rules: The first rule imposes security incident reporting requirements on federal contractors, whereas the second aims to standardize cybersecurity contractual requirements for unclassified Federal Information Systems (FIS).

The rules could have significant implications for both government prime and subcontractors.

When enacted, these rules could implement new security measures and incident reporting requirements via FAR clauses for contractors across the entire federal government. The Cyber Threat and Incident Reporting and Information Sharing proposed rule focuses on increasing the sharing of information about cyber threats between government and private industry, while the Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems proposed rule focuses on implementing policies, procedures and requirements for contractors maintaining an FIS. 

Issued on Oct. 3, the proposed rules partially implement President Biden’s Executive Order 14028 (signed in May 2021) on “Improving the Nation’s Cybersecurity.” The proposed rules, as drafted, will have a major impact on federal contractors and come at a time when cybersecurity concerns are top of mind for the government.

By example, one section particularly germane to security integrators states: 

“The Government has a responsibility to protect and secure its computer systems, whether they are cloud-based, on-premises, or a hybrid of the two. The scope of that protection and security must encompass the systems that process data (e.g., information technology (IT)) and those that run the vital machinery that ensures its safety (e.g., operational technology (OT)). The Government contracts with IT and OT service providers to conduct an array of day-to-day functions on Federal Information Systems (FIS).”

Operational technology is defined in the rules as: [P]rogrammable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems or devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples of operational technology include industrial control systems, building management systems, fire control systems, and physical access control mechanisms (NIST SP 800–160 vol 2).

“By standardizing a set of minimum cybersecurity standards to be applied consistently to FISs, the proposed rule would ensure that such systems are better positioned in advance to protect from cyber threats,” the rule proposal states. 

As part of this new rule, contractors would be required to provide access to the Cybersecurity and Infrastructure Security Agency (CISA) as well as collaborate with them on incident response initiatives.

“If the contractor receives a request for access from CISA, the contractor must confirm the validity of the request by contacting CISA and notifying the contracting officer in writing of the request for access,” the proposal states.

The government is accepting comments from the public until Dec. 4 prior to issuing a final rule, a process which typically takes about one year.