Game of Cybersecurity: New Rules, Tighter Deadlines, and No Room for Error!

Strap in, federal contractors! The FAR Council is rewriting your cyber lives with two new cybersecurity rules. Think Game of Thrones new season – only this time, it’s Cybersecurity that’s Coming. From security incident reporting to standardizing cybersecurity requirements, this regulatory avalanche has a punchline – strict compliance with no ‘Oops, my bad’ allowed!

Hot Take:

Federal contractors, brace yourselves for an avalanche of cybersecurity regulations! The Federal Acquisition Regulatory (FAR) Council is cooking up a couple of rules that will make you rethink your cyber lives. It’s like a new season of Game of Thrones, only this time, instead of Winter, it’s Cybersecurity that’s Coming. The first rule is about incident reporting and the second one about standardizing cybersecurity requirements. But don’t fret, I’ve got you covered with the gist of these newbies. Let’s dive in, shall we?

Key Points:

  • The FAR Council has proposed two new cybersecurity rules for federal contractors. One focuses on security incident reporting and the other on standardizing cybersecurity contractual requirements.
  • The new rules imply stricter compliance, including the need to report security incidents within 8 hours of discovery to the Cybersecurity and Infrastructure Security Agency (CISA).
  • Contractors will be required to support security incident responses, maintain software bills of materials (SBOM), and provide full access to CISA, the FBI, and the contracting agency in case of security incidents.
  • The second rule introduces a minimum set of cybersecurity standards for federal information systems, with specific clauses for non-cloud and cloud computing services.
  • Contractors will be held accountable for any liability due to their performance, with waivers eliminating any negligence defense on their part.

Need to know more?

Cybersecurity: The New Iron Throne

The first rule throws around phrases like "material to eligibility and payment" and "immediate and thorough investigation". It's like the government is playing Sherlock Holmes, and every contractor is a potential Moriarty. The rule also introduces a new FAR clause, FAR 52.239-ZZ, that applies to all contracts and solicitations. It's a one-size-fits-all clause, even for commercial items and contracts below the simplified acquisition threshold.

Tick-Tock on the Cybersecurity Clock

The rule requires contractors to report any security incident, no matter how big or small, to CISA within eight hours. That's right, 8 hours! What's more, contractors need to update this information every 72 hours until the issue is completely resolved. Talk about being in the hot seat!

Don't Play Hide and Seek with Cybersecurity

Contractors need to provide "full access" to their information systems and personnel to CISA, the FBI, and the contracting agency in case of a security incident. In other words, no hiding under the cyber rug. To top it off, contractors will have to share cyber threat indicators and defensive measures via the Automated Indicator Sharing (AIS) capability.

One Cybersecurity Rule to Rule Them All

The second rule aims to standardize cybersecurity requirements across federal information systems. It introduces two new FAR clauses for non-cloud and cloud computing services. Contractors are required to follow federal information processing standards, develop contingency plans, and adhere to additional security controls when working with high-value assets.

No Room for Error

The second rule also introduces a strict liability standard. Contractors need to indemnify the government from any liability arising from their performance and waive any defenses, including the 'Government Contractor Defense'. This means there's no room for any "Oops, my bad" in the cybersecurity world.

Big Brother is Watching

Contractors are also required to limit their access, use, and disclosure of government data and notify the contracting officer of any third-party requests for such data. If the contract requires cryptographic key services, the contractor must provide the agency with the key material and services.

Remember, these are just proposed rules. The final word is yet to be said, and the council is open to comments till December 4, 2023. So, federal contractors, it's time to read, understand, and prepare for what's coming!