Doing Business with the Federal Government? 2022 Cybersecurity Recap: Part 4 – Cybersecurity Federal Acquisition Regulation (FAR) Update –

listen to this post

The federal government continues its efforts to meet the requirements set forth in Executive Order 14028. Improve national cybersecurityBeyond looking at the other issues raised in this series of posts (see here, here, here) for companies doing business with the federal government, these efforts are important to keep in mind in 2023. . The FAR Council amends the Federal Acquisition Regulations (FAR) related to the Executive Order (in addition to his Secure His Software initiative discussed in Part 3).

• Cyber ​​threat and incident reporting and information sharing – New regulations require information technology and operational technology service providers to collect and store information related to cybersecurity incidents on federal information systems and report relevant information to the federal government. These requirements can impose a tight timeline, similar to the 72-hour incident reporting requirement currently in DFARS. OMB has received the proposed FAR rule for December 2022. If approved, the proposed language may appear this year.




• Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems – The federal government is currently working to standardize cybersecurity contractual requirements across federal agencies for unclassified federal information systems. How or whether this provision will affect ongoing federal efforts to adopt a controlled unclassified information (CUI) program administered by the National Archives and Records Administration (NARA)? Unknown. These requirements may be similar to DoD CUI requirements reflected in DFARS. OMB has received the proposed FAR rule for December 2022. If approved, the proposed language may appear this year.




• Enactment of FAR Part 40 – This is an effort to amend the FAR and create a new FAR part, Part 40. This will be a single, consolidated location for your cybersecurity supply chain risk management requirements. At this time, it is unclear which FAR clauses will be included in this section. OMB has listed his proposed FAR action in the “final rule stage” and tentatively expects it to be finalized this spring.

Do it – What to expect in 2023: Keep an eye on FAR updates. However, contractors and suppliers can begin preparing for additional requirements to protect controlled unclassified information and reports of cybersecurity incidents by reviewing the current requirements of DFARS and related guidance.

The content of this article is intended to provide a general guide on the subject. You should seek professional advice for your particular situation.