The Department of Defense (DoD), the General Services Administration (GSA), and NASA are looking to implement new revisions to the Federal Acquisition Regulation (FAR) to standardize cybersecurity requirements for government contractors.
The proposed rule, published in the Federal Register today, would develop standardized contract language for unclassified Federal Information Systems (FIS) and help to mitigate any potential risks associated with having no streamlined requirements.
“This proposed rule provides cybersecurity policies, procedures, and requirements for contractor services to develop, implement, operate, or maintain a FIS. This rule underscores that compliance with these requirements is material to eligibility and payment under government contracts,” states the rule proposal.
“By standardizing a set of minimum cybersecurity standards to be applied consistently to FISs, the proposed rule would ensure that such systems are better positioned in advance to protect from cyber threats,” it adds.
As part of this new rule, contractors would be required to provide access to the Cybersecurity and Infrastructure Security Agency (CISA) as well as collaborate with them on incident response initiatives.
“If the contractor receives a request for access from CISA, the contractor must confirm the validity of the request by contacting CISA and notifying the contracting officer in writing of the request for access,” states the proposal.
The push for this new rule comes from President Biden’s cybersecurity executive order issued in 2021.
Additionally, the agencies are asking for contractors and other key stakeholders to comment on the proposed rule. They will have until Dec. 4 to provide input to be considered in the formation of the final rule.