Michael Joseph Montalbano and Oliver E. Jury ●
On October 3, 2023, the FAR Council proposed two potentially significant cybersecurity rules. We discussed FAR Case No. 2021-017, which would impose a range of new cyber incident reporting requirements on nearly all government contractors, earlier this week. This post discusses FAR Case No. 2021-019, which seeks to standardize cybersecurity contractual requirements across federal agencies.
Who Will the Standardization of Cybersecurity Contractual Requirements Affect?
Under the proposed rule, the FAR Council would promulgate two new FAR clauses, FAR 52.239-YY (Federal Information Systems Using Non-Cloud Computing Systems) and FAR 52.239-XX (Federal Information Systems Using Cloud Computing Services). As drafted, the rule would affect contracts that involve the development and maintenance of federal information systems (“FIS”).
What is an FIS? The proposed rule defines FIS as “an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization, on behalf of a government agency.”
FAR 52.239-YY would be required in contracts acquiring FIS services that include (or are anticipated to use) non-cloud computing services during contract performance. The proposed clause would require flowdown to subcontractors at all tiers (provided those subcontractors may use non-cloud computing services). There would be no exception for acquisitions below the simplified acquisition threshold or acquisitions for commercial products, including commercially available off-the-shelf (“COTS”) items and commercial services, “because Government data and systems require protection regardless of dollar value.”
The FAR 52.239-XX requirements would largely mirror those in FAR 52.239-YY, albeit for contractors using cloud-based computing services during performance. Contractors would need to comply with both proposed clauses if they use both non-cloud and cloud-based computing services in support of contract performance.
How Will the Proposed Rule Change the Status Quo?
The proposed rule addresses a number of key issues:
- Indemnification. The proposed rule would require contractors to indemnify the government from “any liability that arises out of the performance of the contract and is incurred because of the contractor’s introduction of certain information or matter into Government data or the contractor’s unauthorized disclosure of certain information or material.” Even more significant is the proposed waiver provision, in which the contractor would “agree[] to waive any and all defenses that may be asserted for its benefit . . . .” The waiver—in its current form—creates strict liability for the contractor.
__ - Records Management and Government Access. The proposed rule would require contractors to provide the government and government-authorized representatives with timely and full access to data for purposes of audit and investigation.
__ - FIS Assessment. Agencies would be tasked with classifying FIS. If an agency classified a contractor’s FIS as moderate or high, contractors would be required to conduct annual vulnerability assessments and perform independent assessments on the security of the FIS, submitting findings to the contracting officer.
__ - Additional Security Controls. The proposed rule would require agencies to articulate security and privacy controls required to support contract performance. Contractors would then be required to maintain a system security plan, with enhanced controls required for FIS designated by an agency as “high value assets” (per Office of Management and Budget memorandum M-19-03).
__ - Additional Considerations. The draft clause would also require contractors to apply National Institute of Standards and Technology guidance when managing certain activities related to the FIS, including by providing the government with a copy of the contractor’s written monitoring strategy demonstrating the contractor’s awareness of information security risks.
__ - Use and Disclosure of Government and Government-Related Data Restricted. The rule would limit the use and disclosure of government and government-related data by the contractor without authorization. Contractors would be required to alert the Government of third-party data requests (including those from other government units, whether federal, state, or local).
__ - Cryptographic Key Services. If a contractor provides encryption algorithms during performance, the proposed rule would require the contractor to provide the key material and services to the agency. The rule would allow the agency to independently implement its own encryption services.
__ - Operational Technology Equipment List. The proposed rule would require contractors to maintain an inventory of all operational technology, with an obligation to furnish that information to the Government upon request.
__ - Notifiable Threat and Incident Reporting and Incident Response. The rule cross-references proposed clause FAR 52.239.ZZ (Incident and Threat Reporting and Incident Response Requirements) for guidance on incident and cyberthreat reporting. More on that rule here: The FAR Council Proposes New Cyber Incident Reporting Requirements – Government Contracts Navigator.
What Is the Deadline for Compliance?
As with the proposed rule on cyber incident reporting, the Government is accepting comments until December 4, 2023. It typically takes about one year for the Government to review comments and issue a final rule. We therefore do not expect the Government to issue a final rule until at least late 2024 or early 2025.