The FAR council goes big into proposing new cybersecurity rules

Almost everything the government buys in the future could look like cybersecurity with some other product attached, if new proposed rules from the Federal Acqui...

Almost everything the government buys in the future could look like cybersecurity with some other product attached, if new proposed rules from the Federal Acquisition Regulation council take effect early next year. That’s more a matter of when than if. Attorney Townsend Bourne, a partner at Sheppard Mullin, has read the proposed rules and joins Federal Drive with Tom Temin for this discussion.

Link to Townsend Bourne’s blog post

Interview Transcript: 

Tom Temin Now, these are comprehensive rules. I mean, they really originated in homeland security. Fair to say. But they are put forth because that’s the official channel is the FAR council.

Townsend Bourne That’s right. These two proposed rules actually stem from an executive order that we got in May of 2021 from the Biden administration. So they’re over two years in the works. We’ve been expecting them now for a while, and they’ve got a lot in them.

Tom Temin Yeah. And there’s a couple of different parts to them. And let’s start with the threat incident and reporting information sharing part of that. What would that entail and on whom would it be a requirement?

Townsend Bourne So this proposed rule is meant to target procurements that relate to information and communications technology. Even though the proposed rule contemplates that the new FAR provisions are going to be in all solicitations and contracts. It’s really targeting that ICT product and service procurement. So there is a little bit of a narrowing here, although the new clauses we’re going to start seeing and all solicitations and contracts once the rules go final. The main part of this really is that incident reporting and cyber threat sharing. The incident reporting requirement in the proposed role is an eight hour reporting requirement. So within 8 hours of discovery of a security incident, the FAR council would like contractors to report and then provide updates every 72 hours.

Tom Temin And this would be if the contractor itself is experiencing the breach.

Townsend Bourne That’s correct. The proposed rule provides a definition of security incident, so that will be the parameters that will be used to determine whether or not that incident reporting requirement kicks in.

Tom Temin And there’s a little subtlety here I wanted to ask you about. One is sometimes the government buys ICT products, it buys communications and technology directly. But often the ICT, the information and communications technology is integral to the delivery of some other products, say VA buying this electronic record system. While you’re buying a database and you’re buying some software applications, a lot of them, but none of it works without the ICT underlying it. So how extensively will this go across the board here?

Townsend Bourne It’s a great question. I think that’s something that’s going to need to be ironed out during the public comment period. The background information within the proposed rule has some broad language that this would apply to any contracts where ICT is used in performance of the contract in addition to where ICT products are being sold to the government. There is a little bit of a qualifier in the security incident reporting provision which talks about ICT products and services that are provided to the government. So there’s a bit of an ambiguity there that I think is going to need to be worked out because that word used obviously is quite broad.

Tom Temin Sure. And there are also definitions you’re reporting in here for Internet of Things devices and operational technology, OT, which crosses over. There’s a merger at some edge anyway of IOT and operational technology and then telecom equipment, telecom services and security incident. Everybody’s got to relearn what these are.

Townsend Bourne That’s exactly right. This is the first time we’re seeing a definition for Internet, Internet of Things devices in the FAR. We’ve had some guidance out of NIST on treatment and cybersecurity for Internet of Things, but we haven’t seen it embedded into a FAR clause yet. So this will be new.

Tom Temin Then the incident reporting regime, is that the main part of what these rules are all about?

Townsend Bourne So you would think so. It is the main impetus for this role. I believe there are also a lot of sections that talk about supporting incident response, which will require contractors to do a lot on the front end, both to preserve data before and after a security incident. But there’s also requirements now for an S bomb, which is a software bill of materials that contractors will be required to maintain for all software used in performance of the contract, At least the way the proposed rule is written right now. There are also requirements to allow more access by certain agencies like CISA and the FBI to contractor systems after an incident and even before an incident when cyber threat indicators are shared.

Tom Temin We’re speaking with Townsend Bourne. She’s a partner at the law firm Sheppard Mullin. And so this really gets to beyond the arm’s length relationship that government has with contractors. It sounds like there is a mechanism by which they can check to see if a contractor has what the government considers acceptable protections in place. Is that fair to say?

Townsend Bourne I think that’s right. We’re seeing some of the government access rights really spelled out in this proposed rule. I think contractors have gotten used to the idea that the government can come in and perform audits as a general matter. But here we’re actually seeing those audit rights and investigation rights spelled out pretty clearly.

Tom Temin What has been reaction that you’ve had from clients so far? I mean, what are people? This has been out less than a couple of weeks. They’ve got until December, I think, to comment. Industry or anyone that wants to comment. But what’s the initial reaction looked like to you?

Townsend Bourne I think people are still trying to wrap their arms around this one. Both of the proposed rules are over 100 pages, so I’m not sure how many people are brave enough to dive into the whole thing. So we’re trying to distill and make sure we understand the proposed applicability to help our clients understand the proposed rules and understand what comments they might want to put in.

Tom Temin And what about CMMC? This is not related to CMMC, but it has a kind of animating idea behind it similar to CMMC, and that is you have to have a certain amount of chops in being able to detect things and report things that not all companies frankly have until the ransomware shuts down their data. What’s the government fundamentally trying to get at here, do you think?

Townsend Bourne Yeah, that’s exactly right. So it’ll be interesting to help clients implement this in in conjunction with CMMC, which obviously we’ve been working on for a while now. CMMC revolves around types of information, so the cybersecurity required of contractors really depends on the type of government information they’re going to have in their systems. This new proposed rule focuses more like we’ve been saying on information and communications technology, so it’s not focused on the information per se, it’s focused on the technology. So that’s going to be a bit of a challenge, I think, when contractors are implementing compliance plans. It’s a little bit of a mental shift from what we’ve been doing with CMC.

Tom Temin There’s also another detail I wanted to ask you about something that has been in discussion in the government at least 30 years literally, and that is IP version 6 (IPv6) implementation. Contractors are going to be required to complete Internet protocol, version 6 implementation activities, whatever that means. They reference a 2020 memo, but I can find a 1990 memo referring to IP version 6.

Townsend Bourne Right, Right. Yeah. I think this is something the government is trying to been trying to get out for a while. So we’ve seen contracts in the past that incorporate agency policy and guidance, trying to implement IP version 6. So this is something that I think we knew was coming. I wasn’t necessarily expecting to see it in this proposed rule, but it’s not totally surprising.

Tom Temin All right. And then there’s going to be some new contract clauses to FAR part 39. You have written out here. And so there’s a lot of mechanism and a lot of, I guess, bureaucracy connected with this in terms of what the FAR is adding.

Townsend Bourne That’s right. A significant ad is going to be a new representation provision. So this has been a way the government has tried to ensure compliance by making contractors check the box and represent and certify that they’re doing certain things. This new proposed rule has a representation provision that will require offer orders at the time they’re putting in their proposals to represent that they’ve submitted current, accurate and complete security incident reports under all of their existing government contracts, which is a pretty broad it’s a new one for us and also a representation regarding slowing down these provisions to their subcontractors.

Tom Temin Right. So there is a lot of, I guess, potential here for False Claims Act activity somewhere down the line.

Townsend Bourne That’s exactly right. And interestingly, the background in the proposed rules does specifically say that these requirements are going to be material to government payments, which is basically taking a page out of the False Claims Act.

Tom Temin Sure. And then do these basically apply then to people that are not dealing with classified systems because people dealing in the classified world probably already have a lot of this in place.

Townsend Bourne I think that’s right. It’s more targeted to the unclassified world and it will apply to commercial product and services procurements as well. So they’re trying to catch some of the contractors that I think are not, you know, in the traditional space for government contracting. And they’re going to have to understand and implement some of these new requirements.

Tom Temin Boy, this is going to really drive people to other transaction authority buys if they can get away with it. And just a final question. You’ve made a distinction here also that there are rules for whether the contractor is using cloud computing and whether it’s using its own data centers.

Townsend Bourne That’s right. So the second proposed rule really gets at contractors that are operating what we now have a definition for, which is federal information systems, and it actually builds in for contractors that are operating cloud systems for the government, a requirement that they be FedRAMP authorized. FedRAMP is the federal government’s program for security for cloud service providers. So that’s now going to be. Built in into the FAR.

Tom Temin So there’s some old cleaning up they’re kind of doing here as well as breaking new ground.

Townsend Bourne I think that’s right. FedRAMP has been a program since 2011. It was just codified via statute at the end of last year. So I think, yes, it’s been ten years in the making, but now it’s finally becoming part of the regulations.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Jason Workmaster, Miller and ChevalierHead shot of Jason Workmaster

    FAR Council finalizes more stringent procurement rules under Buy American Act

    Read more
    Amelia Brust/Federal News Network

    FAR Council updates whistleblower protection, small business rules

    Read more