Several U.S. federal agencies have proposed a rule, FAR Case 2021–019, and issued a call for public comment to standardize cybersecurity contractual requirements for unclassified federal information systems and a statute on improving the nation's cybersecurity.
The proposal, issued by the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA), would amend the Federal Acquisition Regulation (FAR). If adopted, the change would alter contractual requirements across federal agencies for Federal Information Systems (FIS) based on content from Executive Order 14028, Improving the Nation's Cybersecurity, and portions of the Internet of Things (IoT) Cybersecurity Improvement Act of 2020.
“Strengthening and advancing the Public-Private sector collaboration around cyber is always the right move,” said Bill Rucker, President, Trustwave Government Solutions. “This is another potential step in the right direction to ensure we continue to meet the cyber mission of the federal government and its strategic partners. The adversary’s TTPs get better every day and cyber is a team sport.”
To support the need for these changes, the agencies cited a report by the Council of Economic Advisors that stated losses to the U.S. economy due to malicious cyber activity could top $1 trillion in the coming decade. The Cybersecurity and Infrastructure Security Agency (CISA) added the danger to small and medium-sized businesses per incident could cost up to $226,000 and possibly $40 million per incident for organizations with 1,000 or more employees.
“The government must improve its efforts to identify, deter, protect against, detect, and respond to these actions. Contractors must be able to adapt to the continuously changing threat environment, ensure products are built and operate securely, and coordinate with the government to foster a more secure cyberspace,” the agencies stated in the call for comment document.
The three agencies noted that it is essential that the government and its contractors take a coordinated approach to complying with applicable security and privacy requirements, which are closely related, though they come from independent and separate disciplines.
The current process has contractual requirements for the cybersecurity standards of unclassified FISs being largely based on agency-specific policies and regulations. The call for public comment stated that the risks associated with agency-specific policies can result in inconsistent security requirements across contracts, be unclear, add costs, and restrict competition.
To resolve this issue, Executive Order 14028 requires the Department of Homeland Secretary, acting through the director of CISA, to review agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract and recommend to the FAR Council standardized contract language for appropriate cybersecurity.
Doing so should create a set of minimum cybersecurity standards to be applied consistently to FISs; the proposed rule would ensure that such systems are better positioned in advance to protect from cyber threats.
Additional points covered in FAR Case 2021–019 include how contractors utilize cloud, on premise and hybrid services.
For example, when an acquisition requires the use of both non-cloud computing services and cloud computing services, the rule would require compliance with the policies, procedures, and requirements for each service approach, as they respectively apply to the FIS.
The government anticipates that implementing this rule will lead to a decrease in administrative expenses for contractors seeking to offer services related to the development, implementation, operation, or maintenance of a FIS. Additionally, the FAR Council expects that introducing this proposed rule will enhance competition by introducing a standardized set of policies and procedures applicable to FISs.
By instituting consistent requirements for both the government and contractors regarding FISs, it will substantially aid the government in safeguarding federal information and systems from cyberattacks that threaten the security and privacy of both the public and private sectors.