On October 3, 2023, the FAR Council issued two proposed cybersecurity rules that could have significant implications for both Government prime and subcontractors. This post discusses the first rule, FAR Case No. 2021-017, which, if implemented, will impose an array of new cyber incident reporting requirements on nearly all government contractors. The second rule, FAR Case No. 2021-019, seeks to standardize cybersecurity contractual requirements across Federal agencies. We discuss the first rule in further detail here.
Who Would Have to Comply with the New Cyber Incident Reporting Rule?
Under the proposed cyber incident rule, the FAR Council intends to promulgate a new FAR clause, FAR 52.239-ZZ. In its current form, FAR 52.239-ZZ would apply to all contracts where “information and communications technology” (“ICT”) is used or provided in the performance of the contract.
What is ICT? ICT is just about anything computer related. ICT includes computers and their peripheral equipment, telecommunications equipment, computer software, and electronic documents. In other words, if a contractor uses a computer or related device in the performance of a government contract, then FAR 52.239-ZZ would likely apply.
The proposed rule would require inclusion of FAR 52.239-ZZ in virtually all prime contracts, including contracts below the simplified acquisition threshold, contracts for commercial products and services, and contracts for commercially available off-the-shelf items. Prime contractors would be required to flow FAR 52.239-ZZ down to all subcontracts, at all tiers, if ICT is used or provided in the performance of the subcontract.
What Are the New Cyber Incident Reporting Requirements?
FAR 52.239-ZZ entails seven primary requirements:
- Cyber Incident Reporting. The proposed rule would require contractors to “immediately and thoroughly investigate all indicators that a security incident may have occurred.” The Contractor would need to report a security incident through a Cybersecurity and Infrastructure Security Agency (“CISA”) portal within eight hours of discovering the incident. The contractor would need to update that report every 72 hours until “all eradication or remediation activities” have been completed. The contractor would also need to notify the Contracting Officer of any affected order that a CISA report has been submitted.
- Data Preservation. The proposed rule would require contractors to collect and preserve available data relevant to the cyber incident. The data would need to be stored in active storage for 12 months followed by six months in active or cold storage. The contractor would need to “promptly” provide this data to the Contracting Officer upon request.
- Customization Files. The proposed rule would require contractors to develop and maintain “an up-to-date collection of customizations that differ from manufacturer defaults on devices, computer software, applications, and services.” These customization files would need to be maintained for at least a year after the life of the contract and provided to the Government upon request.
- Software Bill of Materials (“SBOM”). The proposed rule would require contractors to develop and maintain a software bill of materials for any software used in the performance of the contract regardless of whether there is any security incident. If a piece of computer software is updated with a new build or major release, the contractor would need to update the computer SBOM.
- Assist with Cyber Incident Investigations. The proposed rule would require contractors to assist CISA, the FBI, and the contracting agency investigate the cyber incident. This would include providing any malicious code that the contractor isolates and providing the agencies with access to contractor personnel.
- Automated Indicator Sharing. The proposed rule would require contractors to subscribe to CISA’s Automated Indicator Sharing program where the contractor would be required to share cyber threat indicators and defensive measures.
- Internet Protocol Version Six (“IPv6”). Contractors awarded contracts that include ICT products and services that use “internet protocols” would need to implement IPv6—a protocol that allows communications over the internet. Contractors would also need to submit a supplier’s declaration of conformity documenting IPv6 capabilities and provide the Government with an IPv6 Implementation Plan.
What Happens Next?
The Government is accepting comments from the public until December 4, 2023. The Government will then review the comments and issue a final rule. This process typically takes about one year. We therefore do not expect the Government to issue a final rule until at least late 2024 or early 2025. We also expect that the Government will provide an onramp period to give contractors time to comply with the final rule.