720-891-1663

Return to list of client alerts

FAR Council Proposes New Security Rules for **ALL** Government Contractors

Until now, the government security rules have been guided by Federal Acquisition Regulation (FAR) 52.204-21, which is lame at best. It is maybe a dozen and a half requirements like “limit system access to authorized users”. The bible that the government uses when security really matters, NIST Special Publication 800-53, is 500 pages long by comparison. The -21 FAR, is a page and a half.

That is all about to change if the FAR Council, which is responsible for the federal acquisition regulations, has their way.

The FAR council proposed two new rules earlier this month, which, if enacted, would be binding on DoD, NASA and the GSA, at least.

Assuming the rules as proposed will change before they become final, and they will, the days of ridiculously inadequate cybersecurity regulations for anyone selling to the government – INCLUDING COMMERCIAL OFF THE SHELF products – are over.

Our friends at the MoFo mega-law firm have a great blog post on the subject, so I will not attempt to steal their thunder – read their piece if you sell to the government, but here are a few highlights.

  • Remember all the complaints about the SEC’s new rules giving publicly traded companies 72 hours to report a breach. Under these rules you will have 8 Hours and then you have to update the government every 72 hours.
  • Contractors MUST provide software bills of materials for all software sold to the government. Period. Very simple. Not vague.
  • Contractors must certify annually that they are in compliance (and remember that the DoJ stood up a whole new division to go after fraud in late 2021 and they have been busy).
  • Just to eliminate any confusion, in both rules, the government says that compliance with these cybersecurity and incident reporting requirements is material to eligibility and payment under government contracts. Just to eliminate any question about whether you might get debarred or not get paid if you break these rules – they say that will be a possible outcome.
  • It will be a REQUIREMENT of the government to ANNUALLY conduct a FIPS 199 assessment of confidentiality, integrity and availability for both government and contractor information systems.

All of this and a lot more is a result of the Executive Order on cybersecurity. Since this is regulation based, it could be that the next President could say that he or she doesn’t care if the Chinese or Russians steal all of our intellectual property, but that probably would not be well received by the folks who say that they care about national security. This could be a done deal by January 2025, so getting FARs undone is just as hard as getting them done.

Stay tuned; this will unfold in the next months and may happen sooner than later (unknown). Rumors have been flying that the work that the DoD has been doing to get the new CMMC regulations approved has been coordinated with the FAR Council. If so, and we don’t know, this may be closer to done than we might think.

Definitely, long past due.

Credit: MoFo

Copyright © 2024 CyberCecurity, All rights reserved. Privacy Policy