United States: Two New Cybersecurity Proposed Rules Mean Big Changes For Federal Contractors – S…>
– Townsend L Bourne
The proposed rule published in the Federal Register on October 3, 2023, includes changes to the Federal Acquisition Regulation (FAR) requirements relating to Section 889, which govern prohibitions on the supply and use of covered telecommunications equipment and services.
The proposed rule introduces new requirements and contract clauses for federal contractors.
Let’s review some of the key points:
1) **Software Bills of Materials (SBOM)**: Federal contractors will be required to develop and maintain an SBOM for any software used in contract performance.
This includes subscribing to automated indicator sharing (AIS) capability and sharing cyber threat indicators using AIS during performance.
2) **IPv6 Implementation**: Federal contractors will need to complete IPv6 implementation activities in accordance with OMB Memorandum M-21-07, which outlines the transition to Internet Protocol Version 6)
3) **CISA Engagement Services**: Federal contractors will be required to allow access and cooperate with the Cybersecurity and Infrastructure Security Agency (CISA) for threat hunting and incident response purposes.
Recommendations from CISA are to be implemented after consultation with the contractor and the agency.
4) **Access to Contractor Information and Systems**: In the event of a security incident, federal contractors must provide CISA, the Federal Bureau of Investigation (FBI), and the contracting agency with full access to applicable contractor information, information systems, and personnel.
5) **Operations in a Foreign Country**: The proposed rule seeks feedback on barriers faced by contractors operating outside the United States.
6) **Security Incident Reporting Harmonization**: Federal contractors are required to report security incidents through the CISA incident reporting portal within eight (8) hours of discovery, with subsequent updates provided every 72 hours until the incident is resolved.
The proposed rule also introduces new contract clauses, such as FAR 52) 239-ZZ, which addresses incident and threat reporting requirements for products or services containing Information and Communications Technology (ICT), and FAR 52) 239-AA, which pertains to security incident reporting representation.
In addition to the changes related to Section 889, there is another proposed rule (FAR Case 2021-019) that focuses on standardizing cybersecurity requirements for unclassified Federal Information Systems (FIS).
This rule provides standardized requirements for contractors involved in the development, implementation, operation, or maintenance of FIS.
Key points from the proposed rule for FIS contracts include:
1) **Updates to Relevant Definitions**: The proposed rule includes a new definition for “Federal Information System,” clarifying the scope and applicability of the requirements.
2) **New Requirements for FIS Contracts**: The new FAR provisions outline policies, procedures, and requirements for both agencies and contractors involved in FIS contracts.
These requirements cover various aspects, including impact analysis, multifactor authentication, administrative accounts, consent banners, IoT device controls, and assessment requirements.
3) **New Contract Clauses**: The proposed rule introduces new FAR clauses, such as FAR Clause 52) 239-YY for FIS using non-cloud computing services and FAR Clause 52) 239-XX for FIS using cloud computing services.
These clauses outline specific obligations, controls, and access limitations for contractors, addressing areas such as annual assessments, NIST guidelines, access to Government data, and compliance with CISA directives.
It’s important to note that public comments are being solicited for both proposed rules, and contractors and industry stakeholders are encouraged to submit written comments through the Federal eRulemaking portal by December 4, 2023)
Link: https://www.mondaq.com:443/Article/1374052