Return to list of client alerts
Until now, the government security rules have been guided by Federal Acquisition Regulation (FAR) 52.204-21, which is lame at best. It is maybe a dozen and a half requirements like “limit system access to authorized users”. The bible that the government uses when security really matters, NIST Special Publication 800-53, is 500 pages long by comparison. The -21 FAR, is a page and a half.
That is all about to change if the FAR Council, which is responsible for the federal acquisition regulations, has their way.
The FAR council proposed two new rules earlier this month, which, if enacted, would be binding on DoD, NASA and the GSA, at least.
Assuming the rules as proposed will change before they become final, and they will, the days of ridiculously inadequate cybersecurity regulations for anyone selling to the government – INCLUDING COMMERCIAL OFF THE SHELF products – are over.
Our friends at the MoFo mega-law firm have a great blog post on the subject, so I will not attempt to steal their thunder – read their piece if you sell to the government, but here are a few highlights.
All of this and a lot more is a result of the Executive Order on cybersecurity. Since this is regulation based, it could be that the next President could say that he or she doesn’t care if the Chinese or Russians steal all of our intellectual property, but that probably would not be well received by the folks who say that they care about national security. This could be a done deal by January 2025, so getting FARs undone is just as hard as getting them done.
Stay tuned; this will unfold in the next months and may happen sooner than later (unknown). Rumors have been flying that the work that the DoD has been doing to get the new CMMC regulations approved has been coordinated with the FAR Council. If so, and we don’t know, this may be closer to done than we might think.
Definitely, long past due.
Credit: MoFo