The FAR Council Proposes Standardizing Cybersecurity Requirements
On October 3, 2023, the FAR Council proposed two potentially significant cybersecurity rules. We discussed FAR Case No. 2021-017, which would impose a range of new cyber incident reporting requirements on nearly all government contractors, earlier this week. This post discusses FAR Case No. 2021-019, which seeks to standardize cybersecurity contractual requirements across federal agencies.
Who Will the Standardization of Cybersecurity Contractual Requirements Affect?
Under the proposed rule, the FAR Council would promulgate two new FAR clauses, FAR 52.239-YY (Federal Information Systems Using Non-Cloud Computing Systems) and FAR 52.239-XX (Federal Information Systems Using Cloud Computing Services). As drafted, the rule would affect contracts that involve the development and maintenance of federal information systems (“FIS”).
What is an FIS? The proposed rule defines FIS as “an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization, on behalf of a government agency.”
FAR 52.239-YY would be required in contracts acquiring FIS services that include (or are anticipated to use) non-cloud computing services during contract performance. The proposed clause would require flowdown to subcontractors at all tiers (provided those subcontractors may use non-cloud computing services). There would be no exception for acquisitions below the simplified acquisition threshold or acquisitions for commercial products, including commercially available off-the-shelf (“COTS”) items and commercial services, “because Government data and systems require protection regardless of dollar value.”
The FAR 52.239-XX requirements would largely mirror those in FAR 52.239-YY, albeit for contractors using cloud-based computing services during performance. Contractors would need to comply with both proposed clauses if they use both non-cloud and cloud-based computing services in support of contract performance.
To read the full post, please visit our Government Contracts Navigator blog.