As technology advances, the federal government focuses on adding regulations that improve the security of network systems. In early October, the Federal Register published two proposed cybersecurity Federal Acquisition Regulation (FAR) rules to partially implement Executive Order 14028, “Improving the Nation’s Cybersecurity.” In this blog we will discuss Executive Order (EO) 14028 along with the two proposed FAR rules and how it can impact you as a government contactor.
What is the Cybersecurity Executive Order (EO)?
EO 14028 was issued in 2021, which states agencies need to enhance cybersecurity and software supply chain integrity. This EO has several requirements for contractors. For instance, service providers must share cyber incidents and threat information that could impact government networks. The mission to “Improve the Nation’s Cybersecurity” helps establish baseline security standards for development of software sold to the government, and mandates deployment of multifactor authentication.
This EO highlights other best practices to ensure sophisticated cybersecurity. It’s important to note, changes were made to the National Institute of Standards and Technology (NIST) and Cybersecurity & Infrastructure Security Agency (CISA) guidance following this EO.
Why the Cybersecurity Executive Order Changes are Important
As a GSA Schedule contractor, it’s crucial to understand how these changes may affect how you operate as a company. With the push to strengthen IT infrastructure, you may consider implementing a zero trust architecture approach to authenticate, monitor, and validate user identities and trustworthiness.
Moreover, this executive order underlines that the private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace. Overall, the FAR rules ensure contractors keep national security interests in mind and follow a set of standardized rules when doing business with the federal government.
FAR Case 2021-017 Cyber Threat Incident Reporting and Information Sharing
As mentioned previously, the Federal Register published two proposed Federal Acquisition Regulation (FAR) rules to partially implement Executive Order 14028. FAR Case 2021-017, Cyber Threat Reporting an Information Sharing, proposes to broaden the scope of key definitions related to IT, among others, to include Internet of Things (IoT) devices. The broadening of IoT places it under the umbrella of Information Computer Technology (ICT).
This case requires contractors to report security incidents within certain timeframes and to support select agencies in cyber response efforts. When you comply with reporting incidents as a contractor, you assist the government with prevention, detection, response, and investigation.
This FAR case requires contractors to develop and maintain a software bill of materials (SBOM) for any software used in the performance of the contract regardless of whether there is any security incident. SBOM is a list of components that make up software and is used to help track and manage the different software elements and their versions. You can learn more about SBOM and how it can be used to analyze vulnerabilities by visiting the National Telecommunications and Information Administration (NITA) site.
FAR Case 2021-019 Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems
FAR Case 2021-019 (Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems) proposed rule provides cybersecurity policies, procedures, and requirements for services to develop, implement, operate, or maintain a Federal Information Systems (FIS).
Below is a list of what this rule proposes to do:
- Define Federal Information Systems (FIS) so that the scope includes, among other systems, information systems operated by contractors on behalf of a government agency.
- Specify cybersecurity requirements for cloud-based, on-premises, and hybrid systems.
- Require contractors supporting government data processing, information technology, and operational technology to conduct an array of day-to-day functions on FIS, including a standard set of cybersecurity practices.
- Bolster requirements data and privacy protections and further enhance oversight by select government agencies.
Similar to FAR Case 2021-017, FAR Case 2021-019 focuses on safeguards, controls, and maintenance of certain systems to provide optimal security for the government and government related data.
What Can You Do as a GSA Schedule Contractor to Prepare for these Changes?
The Federal Acquisition Service (FAS) has invited industry partners to review the proposed FAR rules and provide comments. The comment period started in early October when the proposed rules were published and will close on December 4, 2023. Comments for FAR Case 2021-017 can be submitted here. For FAR Case 2021- 019, you’ll want to submit here.
As a contractor, it is vital to be aware of updates to the Federal Acquisition Regulation (FAR). If you want to learn more about the FAR check out our blog, “A Guide to Understanding the Federal Acquisition Regulation (FAR).” You can also stay updated on the latest regulation changes by subscribing to our blog and monthly newsletter.
We know it can be challenging to keep up with developing rules especially in an ever-changing environment. Our expert consultants are available to offer support to ensure you are remaining compliant and maintaining your GSA Schedule.
