WHAT: As we previously reported here, on October 3, 2023, the Federal Acquisition Regulatory Council (FAR Council) proposed a pair of major cybersecurity rules intended to implement key parts of President Biden’s May 2021 Executive Order No. 14028 on Improving the Nation’s Cybersecurity. The proposed rule in FAR Case No. 2021-0017 primarily addresses incident reporting and applies broadly to all contractors that use information and communications technology (ICT) systems in the performance of a government contract. The proposed rule in FAR Case No. 2021-0019 is intended to standardize security requirements for federal information systems (FIS) that contractors provide or maintain under a federal contract. This alert provides further analysis of these significant proposed rules.
WHEN: The FAR Council issued both proposed rules on October 3, 2023, with a request for comments within 60 days (by December 4, 2023).
WHAT DOES IT MEAN FOR INDUSTRY: As our prior alert summarized, the FAR Council’s proposed rule on incident reporting (FAR Case No. 2021-0017) would have the broadest reach and would affect, according to the FAR Council, approximately 75% of contractors—those awarded contracts that “include some ICT.” The proposed rule in FAR Case No. 2021-0019 is intended to standardize the requirements for FIS provided or maintained as part of a contractual requirement. Continue reading for a deeper dive into the key issues in these two proposed rules.
FAR Case No. 2021-0017, Cyber Threat and Incident Reporting
The proposed rule introduces two additions to FAR Subpart 52.239:
Support the originator by clicking the read the rest link below.