Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

NASA, GSA, and Department of Defense Propose Rule to Standardize Cybersecurity Requirements for Federal Contracts

Several U.S. federal agencies have proposed a rule, FAR Case 2021–019, and issued a call for public comment to standardize cybersecurity contractual requirements for unclassified federal information systems and a statute on improving the nation's cybersecurity.


The proposal, issued by the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA), would amend the Federal Acquisition Regulation (FAR). If adopted, the change would alter contractual requirements across federal agencies for Federal Information Systems (FIS) based on content from Executive Order 14028, Improving the Nation's Cybersecurity, and portions of the Internet of Things (IoT) Cybersecurity Improvement Act of 2020


“Strengthening and advancing the Public-Private sector collaboration around cyber is always the right move,” said Bill Rucker, President, Trustwave Government Solutions. “This is another potential step in the right direction to ensure we continue to meet the cyber mission of the federal government and its strategic partners. The adversary’s TTPs get better every day and cyber is a team sport.”


To support the need for these changes, the agencies cited a report by the Council of Economic Advisors that stated losses to the U.S. economy due to malicious cyber activity could top $1 trillion in the coming decade. The Cybersecurity and Infrastructure Security Agency (CISA) added the danger to small and medium-sized businesses per incident could cost up to $226,000 and possibly $40 million per incident for organizations with 1,000 or more employees.


“The government must improve its efforts to identify, deter, protect against, detect, and respond to these actions. Contractors must be able to adapt to the continuously changing threat environment, ensure products are built and operate securely, and coordinate with the government to foster a more secure cyberspace,” the agencies stated in the call for comment document. 


Why Standardization is Needed


The three agencies noted that it is essential that the government and its contractors take a coordinated approach to complying with applicable security and privacy requirements, which are closely related, though they come from independent and separate disciplines.


The current process has contractual requirements for the cybersecurity standards of unclassified FISs being largely based on agency-specific policies and regulations. The call for public comment stated that the risks associated with agency-specific policies can result in inconsistent security requirements across contracts, be unclear, add costs, and restrict competition.


To resolve this issue, Executive Order 14028 requires the Department of Homeland Secretary, acting through the director of CISA, to review agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract and recommend to the FAR Council standardized contract language for appropriate cybersecurity. 


Doing so should create a set of minimum cybersecurity standards to be applied consistently to FISs; the proposed rule would ensure that such systems are better positioned in advance to protect from cyber threats.


Additional points covered in FAR Case 2021–019 include how contractors utilize cloud, on premise and hybrid services.


For example, when an acquisition requires the use of both non-cloud computing services and cloud computing services, the rule would require compliance with the policies, procedures, and requirements for each service approach, as they respectively apply to the FIS.


Reduced Costs, Increased Competition, and More Security


The government anticipates that implementing this rule will lead to a decrease in administrative expenses for contractors seeking to offer services related to the development, implementation, operation, or maintenance of a FIS. Additionally, the FAR Council expects that introducing this proposed rule will enhance competition by introducing a standardized set of policies and procedures applicable to FISs.


By instituting consistent requirements for both the government and contractors regarding FISs, it will substantially aid the government in safeguarding federal information and systems from cyberattacks that threaten the security and privacy of both the public and private sectors.


Fed-CyberContract-Rules-Picture1 (1)


Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More