Cybersecurity is a constant priority in the IT government contracting space, with the government continually working to enhance cybersecurity practices as technology evolves. IT government contractors should be aware of both current and future cybersecurity regulations, so they can stay compliant now and in the future.
In this blog, we’ll go over GSA cybersecurity and IT updates for Fiscal Year (FY) 2025 and how they impact IT government contractors, including contractors on the Multiple Award Schedule (MAS). These updates include recently issued or proposed Federal Acquisition Regulation (FAR) rules on cybersecurity and relevant new policies. Many of these regulations and policies are aimed at improving supply chain risk management through the identification of cybersecurity risks at all levels of the IT supply chain.
This interim FAR rule, FAR Case 2020-011 FASCSA (Federal Acquisition Supply Chain Security Act) Orders, is intended to increase the security of supply chains, including IT supply chains. In effect since December 2023, it allows the Department of Homeland Security, Department of Defense, and the Office of the Director of National Intelligence to issue orders removing or excluding products or services from government contracts if they pose a national security threat.
To comply with this rule, government contractors should monitor SAM.gov for new FASCSA orders at least once every three months, or as advised by their Contracting Officer. If a published FASCSA order identifies a product or service that impacts your supply chain, you would submit a report as required by FAR clause 52.204-30. Although no FASCSA orders have been issued yet, contractors should continue monitoring SAM.gov for new ones throughout FY2025.
If you’re a government contractor selling or manufacturing Internet of Things (IoT) products, this next policy update is for you. The Federal Communications Commission (FCC) issued a final rule establishing voluntary cybersecurity labeling for IoT products in July 2024. In effect since August, this rule is specifically targeted at wireless consumer IoT devices and excludes any IoT devices used in industry.
Through the new rule’s voluntary labeling program, IoT manufacturers can label their IoT device with a CyberTrust Mark if the device meets the program’s cybersecurity standards. The CyberTrust Mark serves as a recognizable stamp of approval for consumers and includes a QR code with detailed cybersecurity information about the product.
This program represents a milestone in the cybersecurity field by helping consumers make safer purchasing decisions and encouraging manufacturers to develop IoT products with cybersecurity in mind. Furthermore, since the program is voluntary, small businesses won’t be burdened by compliance.
The Office of Management and Budget’s 2022 and 2023 policy memos require that the software used by federal agencies complies with secure software development practices. To that end, software producers selling to the government are now required to complete a Common Form attesting that their software conforms to the National Institute of Standards and Technology (NIST) guidance for secure software development. Software producers upload these forms to the Cybersecurity & Infrastructure Security Agency (CISA) repository for federal agencies to access.
A proposed FAR rule requiring this attestation for software producers is currently still under development as FAR Case 2023-002 Software Supply Chain Security. In the meantime, GSA’s May 2024 Acquisition Letter MV-2023-02 clarifies how this policy currently applies to their GSA-funded acquisitions and to contractors on GSA-administered contracting vehicles such as the Multiple Award Schedule (MAS).
Per the Acquisition Letter, GSA has begun collecting the Common Form attestations, but only for software acquisitions funded by GSA. For MAS contractors, completion of the form is not required at the MAS contract level – which the new FAR rule may change. However, since ordering activities at the task order level are required to request the Common Form, GSA recommends that MAS software producers upload the completed form to the CISA repository in advance. If a software producer cannot meet all the standards in the form, they can submit a Plan of Action & Milestones (POA&M) to the ordering activity.
Another recently proposed FAR rule, Case 2021-017 Cyber Threat and Incident Reporting and Information Sharing, will increase information sharing between IT government contractors regarding cyber threats and cyber incidents. This proposed rule will require government contractors to report cyber incidents within certain timeframes and to coordinate incident response efforts with the CISA, FBI, and contracting agency. Contractors’ compliance with incident reporting allows the government to better prevent and respond to cyber threats.
As part of the proposed rule, government contractors will be required to submit malicious code samples or artifacts after discovery of security incidents. They will also be required to participate in Automated Indicator Sharing, a CISA-administered service that helps agencies exchange cyber threat indicators and defensive measures in real time.
The proposed FAR rule above, Case 2021-017, also includes a requirement for government contractors to develop and maintain a Software Bill of Materials (SBOM). SBOMs are a formal record of the various components used in building software and those components’ supply chain relationships. SBOMs enhance supply chain risk management by allowing the cyber risks within software supply chains to be easily identified.
To prepare for this requirement, government contractors can consult CISA’s resources on SBOMs, including a Frequently Asked Questions document. The FAQs discuss the benefits of SBOMs, common misconceptions and concerns, the creation of SBOMs, and relevant guidance for software producers, purchasers, and operators.
Finally, the newly proposed FAR rule, Case 2021-019 Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems, establishes standardized cybersecurity policies, procedures, and requirements for unclassified Federal Information Systems (FIS). Federal Information Systems are information systems that are used or operated by a federal agency, by a contractor of a federal agency, or by another organization on behalf of a federal agency.
FAR Case 2021-019 will establish cybersecurity requirements for any cloud computing, non-cloud (on-premises) computing, and hybrid services that make up Federal Information Systems. For example, it will require Federal Risk and Authorization Management Program (FedRAMP) safeguards and controls for cloud-based services.
In addition, the proposed rule will require annual vulnerability assessment and independent security assessments for Federal Information Systems that are designated moderate or high impact. Like the other proposed FAR rules we’ve discussed, FAR Case 2021-019 is aimed at improving the security of the government’s IT systems and data.
While it’s important to prepare for the government’s future cybersecurity regulations, keep in mind that the details of these proposed regulations may change before their final publication. In an evolving policy landscape that’s further complicated by the upcoming presidential election, possessing the most up-to-date information is crucial. You can find any recently proposed FAR rules in the Federal Register.
In addition, we recommend subscribing to our blog and monthly government contracting newsletter for the latest insights on complying with cybersecurity regulations as a government contractor. If you have any questions about keeping your contract up to date with current and future regulations, feel free to reach out to one of our consultants.