US agencies act on FAR, move for standardizing cybersecurity for unclassified federal information systems

The U.S. Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) are proposing to amend the Federal Acquisition Regulation (FAR), according to a Tuesday notice published in the Federal Register. The move helps to partially implement an Executive Order to standardize cybersecurity contractual requirements across federal agencies for unclassified federal information systems (FIS), and a statute on improving the nation’s cybersecurity.

The notice recognizes that the government has a responsibility to protect and secure its computer systems, whether they are cloud-based, on-premises, or a hybrid of the two. “The scope of that protection and security must encompass the systems that process data (e.g., information technology (IT)) and those that run the vital machinery that ensures its safety (e.g., operational technology (OT)).” 

It also pointed out that the government contracts with IT and OT service providers to conduct an array of day-to-day functions on an FIS, which is an information system used or operated by an agency, by a contractor of an agency, or by another organization, on behalf of an agency. All FISs require protection as part of good risk management practices. Agencies are responsible for determining what information systems are FIS, in accordance with the definition provided in this rule.

Currently, contractual requirements for the cybersecurity standards of unclassified FISs are largely based on agency-specific policies and regulations. The risks associated with agency-specific policies can result in inconsistent security requirements across contracts, as well as being unclear, adding costs, and restricting competition.

The notice calls upon interested parties to submit written comments to the Regulatory Secretariat Division on or before Dec. 4, 2023, to be considered in the formation of the final rule.

To address these risks, E.O. 14028 requires the DHS (Department of Homeland Security) Secretary, acting through the director of CISA (Cybersecurity and Infrastructure Security Agency), to review agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract and recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements. 

Additionally, the E.O. 14028 directs the FAR Council to consider the contract language received from DHS and publish for public comment any proposed updates to the FAR. The proposed rule would implement the DHS recommendations across all federal agencies to streamline requirements and improve compliance for contractors and the government.

By standardizing a set of minimum cybersecurity standards to be applied consistently to FISs, the proposed rule would ensure that such systems are better positioned in advance to protect from cyber threats. In addition, and as required by the E.O. 14028, upon issuance of a final rule, agencies shall update their agency-specific requirements to remove any requirements that are duplicative of such FAR updates.

The Federal Register notice identified that the “proposed rule provides cybersecurity policies, procedures, and requirements for contractor services to develop, implement, operate, or maintain a FIS. This rule underscores that compliance with these requirements is material to eligibility and payment under Government contracts.”

The rule proposes to add a new FAR subpart 39.X, ‘Federal Information Systems,’ to prescribe policies and procedures for agencies when acquiring services to develop, implement, operate, or maintain a FIS. It also adds and revises definitions in parts 2 and 39.X using current language from statute, regulation, Office of Management and Budget memoranda and circulars, and National Institute of Standards and Technology (NIST) Special Publications (SP) guidance. 

Additionally, the rule seeks to make conforming changes to parts 4, 7, 37, and 39 to further implement policies and procedures, and add two new FAR clauses to be used in contracts for services to develop, implement, operate, or maintain a FIS.

The notice outlined that paragraph (k) of clause 52.239–YY requires contractors to develop and maintain a list of the physical location of all OT equipment included within the boundary for the non-cloud FIS and provide a copy to the government, upon request. “While the proposed rule does not specify a format for the operational technology equipment list, contractors must ensure that the list includes enough information about the equipment to positively locate and track any movement of the equipment during contract performance, including details on password protection and the ability for remote access to the equipment,” it added.

All 28 contractors awarded a contract involving a non-cloud FIS will be required to develop, submit, and maintain a list of OT equipment. The government estimates that a contractor will expend approximately 80 hours developing the list in year one, and 40 hours updating and maintaining the list each year thereafter. Furthermore, upon submission, the government must review approximately six lists of OT equipment submitted by contractors each year in line with the provisions of 39.X03(k).

The Federal Register notice detailed that the proposed rule requires contractors awarded a contract or subcontract to develop, implement, operate, or maintain an FIS to read and become familiar with the rule, as well as review the applicable standards documents identified in the rule. 

The proposed rule also requires contractors awarded a contract or subcontract to develop, implement, operate, or maintain a FIS using other than cloud computing services ( i.e., ‘non-cloud FIS’) to develop and maintain a list of the physical location of all OT equipment included within the boundary of the non-cloud FIS. 

Additionally, when requested by the government, submit a copy of the OT equipment list to the government; submit a copy of their continuous monitoring strategy for the FIS; and for FISs categorized as FIPS Publication 199 moderate or high-security impact, submit the results of an annual independent assessment of the security of the FIS, and an annual cyber threat hunting and vulnerability assessment. 

At the end of September, the U.S. CISA announced that it has formally adopted the OASIS Common Security Advisory Framework (CSAF) Version 2.0 standard to issue security advisories related to ICS (industrial control systems), OT, and medical devices. The move delivers machine-readable advisories using the CSAF 2.0 standard, taking proactive steps by joining the agency to enable automation, future tooling, and driving timely remediation.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.