Stronger Cybersecurity Requirements for Civilian Agency Contractors are Coming
June 13, 2023
By: Thomas Marcinko
At a glance
- The main takeaway: For all contractors, FAR 52.204-21 is the standard. However, that 25 security controls required by that clause are no longer adequate to protect the Government’s interest.
- Assess the impact: Executive Order 14028 required the FAR council to standardize cybersecurity requirements for unclassified Federal Information Systems across all Federal agencies. A proposed rule is coming from the FAR Council, but timing is unknown.
- Take the next step: It is recommended that contractors prepare proactively for the coming standard by taking steps to adhere to NIST 800-171, a standard that the new rule is believed to be modeled after.
Contact Aprio’s Government Contracting Team today for help preparing for the new standard.
The full story:
Thus far, the lion’s share of the government’s cybersecurity requirements for contractors are focused on the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program. However, that program applies only to defense contractors.
For all contractors handling Federal contract information, compliance with FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” is required. The clause allows Agencies to publish additional cybersecurity requirements, which the Veterans Administration has done (i.e., 852.239-70, “Security Requirements for Information Technology Resources.”
Nevertheless, concerns have arisen regarding the adequacy of the 25 safeguarding or security controls outlined in that clause to effectively protect the government’s interests. This inconsistency in requirements across different agencies risks creating an inefficient supply chain and gave rise to the need for uniform requirements for all contractors.
Standardizing cybersecurity requirements
To address this issue, Executive Order 14028 required the FAR Council to establish uniform standardize cybersecurity requirements for unclassified Federal information Systems across all Federal agencies.
As a result, the FAR Council announced its intention to release a proposed rule, although a specific timeline has not been provided. that it would release a proposed rule but did not provide a timetable. That said it is likely that the proposed rule will be issued later this year. Assuming it is not issued as an interim rule, contractors will have 60 days to provide comments and the final rule would not be effective until sometime after that.
While the specific requirements of the proposed rule were not addressed in the announcement, it is likely that the new clause will subject all contractors to the security controls required by the NIST 800-171 standard and require third party confirmation. Though the new rule will not be released for a while, contractors that are not already in the process of complying with the NIST standards should follow certain steps.
Recommended steps for contractors
- Familiarize Yourself with NIST 800-171 Standards: Contractors who are not yet acquainted with the NIST 800-171 standards should take the initiative to understand their requirements. This will enable better preparedness for compliance with the upcoming rule.
- Review and Provide Comments on the Proposed Rule: When the proposed rule is released, contractors should thoroughly review its provisions and submit any comments or suggestions they may have during the designated comment period. This engagement allows contractors to influence the final rule and voice their concerns or recommendations.
- Address Cybersecurity Shortcomings Now: Contractors should evaluate their current cybersecurity practices and address any evident shortcomings promptly. Taking proactive measures to enhance cybersecurity measures will put contractors in a stronger position to comply with the new requirements once they are enforced.
Prepare for compliance
While the precise timeframe for compliance once the new rule is published remains uncertain, it is evident that contractors who make the necessary preparations will be better positioned to adapt. By staying ahead of the curve, contractors can ensure the continued success of their business in the government contracting space.
A final word
As the government moves toward standardizing cybersecurity requirements for all Federal contractors, the landscape of compliance is expected to evolve. Contractors must remain proactive in their approach, familiarize themselves with the NIST 800-171 standard, and address any vulnerabilities promptly. By staying informed and prepared, contractors can protect their interests and effectively meet the upcoming cybersecurity obligations.
If you have any questions or require cybersecurity support, the Aprio Government Contracting team is here to assist you. Reach out to us today to learn more about how we can help you navigate the evolving landscape of cybersecurity compliance.