Michael Joseph Montalbano and Oliver E. Jury ●
On October 3, 2023, the FAR Council proposed two potentially significant cybersecurity rules. We discussed FAR Case No. 2021-017, which would impose a range of new cyber incident reporting requirements on nearly all government contractors, earlier this week. This post discusses FAR Case No. 2021-019, which seeks to standardize cybersecurity contractual requirements across federal agencies.
Who Will the Standardization of Cybersecurity Contractual Requirements Affect?
Under the proposed rule, the FAR Council would promulgate two new FAR clauses, FAR 52.239-YY (Federal Information Systems Using Non-Cloud Computing Systems) and FAR 52.239-XX (Federal Information Systems Using Cloud Computing Services). As drafted, the rule would affect contracts that involve the development and maintenance of federal information systems (“FIS”).
What is an FIS? The proposed rule defines FIS as “an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization, on behalf of a government agency.”
FAR 52.239-YY would be required in contracts acquiring FIS services that include (or are anticipated to use) non-cloud computing services during contract performance. The proposed clause would require flowdown to subcontractors at all tiers (provided those subcontractors may use non-cloud computing services). There would be no exception for acquisitions below the simplified acquisition threshold or acquisitions for commercial products, including commercially available off-the-shelf (“COTS”) items and commercial services, “because Government data and systems require protection regardless of dollar value.”
The FAR 52.239-XX requirements would largely mirror those in FAR 52.239-YY, albeit for contractors using cloud-based computing services during performance. Contractors would need to comply with both proposed clauses if they use both non-cloud and cloud-based computing services in support of contract performance.
Continue reading “The FAR Council Proposes Standardizing Cybersecurity Requirements”
Michael Joseph Montalbano and Oliver E. Jury ●
On October 3, 2023, the FAR Council issued two proposed cybersecurity rules that could have significant implications for both Government prime and subcontractors. This post discusses the first rule, FAR Case No. 2021-017, which, if implemented, will impose an array of new cyber incident reporting requirements on nearly all government contractors. The second rule, FAR Case No. 2021-019, seeks to standardize cybersecurity contractual requirements across Federal agencies. We discuss the first rule in further detail here.
Who Would Have to Comply with the New Cyber Incident Reporting Rule?
Under the proposed cyber incident rule, the FAR Council intends to promulgate a new FAR clause, FAR 52.239-ZZ. In its current form, FAR 52.239-ZZ would apply to all contracts where “information and communications technology” (“ICT”) is used or provided in the performance of the contract.
What is ICT? ICT is just about anything computer related. ICT includes computers and their peripheral equipment, telecommunications equipment, computer software, and electronic documents. In other words, if a contractor uses a computer or related device in the performance of a government contract, then FAR 52.239-ZZ would likely apply.
Continue reading “The FAR Council Proposes New Cyber Incident Reporting Requirements”
Scott Arnold and Ustina M. Ibrahim*
Stay up to date by subscribing to our blog. Add your e-mail address to the Subscribe box on the right (below the post on mobile) to get our timely posts delivered directly to your inbox.
On March 7, 2022, the FAR Council published the final rule containing changes to Buy American Act (“BAA”) domestic preference requirements.
This final rule is a significant step towards implementation of a policy to enhance domestic preferences announced by President Biden in E.O. 14005 just a few days after taking office. You may recall that the FAR Council previously issued a proposed rule that contemplated (1) phased increases in domestic content thresholds, (2) enhanced preferences for critical products and components, and (3) post-award reporting requirements for critical products and components. See our prior posts addressing President Biden’s E.O. 14005 and the proposed rule.
The final rule retained most of what the FAR Council initially proposed, but there are a few changes that we discuss below. We also point out some aspects of the new policy that remain to be fleshed out in future rulemaking.
Increased Domestic Content Thresholds
The proposed rule contemplated increasing the current domestic content threshold from 55 percent to 60 percent, with subsequent increases to 65 percent and 75 percent beginning in calendar years 2024 and 2029, respectively. The final rule retains these increases but allows for a longer period than typically provided before the first increase to 60 percent becomes effective. The 60 percent threshold will take effect October 25, 2022—over six months after publication, rather than the customary 30 or 60 days after publication. Thus, contractors and agencies have several more months to plan for the new threshold.
Continue reading “Buy American Act—Final Rule: What Has Changed?”
Scott Arnold, Justin A. Chiarodo, and Robyn N. Burrows
As directed in President Biden’s January 25, 2021, Executive Order we discussed six months ago, last week the FAR Council proposed increases to the Buy American Act (“BAA”) domestic content requirements, and previewed enhanced price preferences and reporting obligations for “critical” domestic products and components under the BAA.
The proposed rule, issued on July 30, 2021, contains three key elements: (1) Phased increases in domestic content thresholds from the current 55% to 75% by 2029, (2) enhanced price preferences for critical products and components, and (3) post-award reporting requirements for critical products and components.
A virtual public meeting to discuss the proposed rule will be held on August 26, 2021, and comments are due by September 28, 2021. The DAR Council also has an open DFARS Case relating to BAA provisions (2019-D045).
We provide an overview of the rule below along with practical takeaways for contractors to consider in light of these potentially significant changes.
Continue reading “Buy American Act Domestic Content Requirements Likely to Increase Soon”