The federal government recently released two draft Federal Acquisition Regulation (FAR) rules for notice and comment.  Of particular note, one of these rules is a significant change in contractor data breach notification.  But both rules are important and worth contractors’ attention.

Background

These two proposed FAR clauses implement portions of President Biden’s Executive Order on Improving the Nation’s Cybersecurity, E.O. 14028, as well as portions of the Internet of Things Cybersecurity Improvement Act of 2020.

The first rule, Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems, 88 FR 68402 (the Systems Rule) is intended to “provide standardized cybersecurity contractual requirements across Federal agencies for Federal information systems (FIS).”  The second rule, Cyber Threat and Incident Reporting and Information Sharing, 88 FR 68055 (the Breach Rule) provides data breach notification requirements for federal contractors.

Both proposed rules were introduced on October 3, 2023, and comments close on December 4, 2023.  As of the date of this blog post, the two rules have four total comments.

The Systems Rule

Currently, cybersecurity requirements for federal systems are generally established by the Federal Information Security Modernization Act of 2014.  How agencies establish specific cybersecurity requirements for systems, especially those operated by contractors, varies greatly.  Contractors that service multiple agencies are subject to varying requirements for the same system.  The Systems Rule is intended to remedy that situation.

The Systems Rule provides “policies and procedures for acquiring services to develop, implement, operate, or maintain a Federal information system (FIS)”.  A FIS is “an information system (44 U.S.C. 3502(8)) used or operated by an agency, by a contractor of an agency, or by another organization, on behalf of an agency.”  The language on behalf of an agency is defined later in the rule to exclude systems that are incidental to providing a service or product to the government, but even with that exclusion, this is a broad definition.  The System Rule further breaks FIS to cloud and non-cloud based systems, and requires the contracting officer to categorize “the FIS based on an impact analysis of the information processed, stored, and transmitted by the system.”  Already a complicated set of requirements for what is supposed to be a simplification.

The rule states that there are currently 84 contractors (28 non-cloud contractors and 56 cloud contractors) awarded an implicated contract annually.  That number seems low, and it is likely this clause will end up in for more federal contracts than the rule contemplates.  The rule will also be included in a significant number of subcontracts, whether appropriate or not.  So even though the impact analysis in the Federal Register seems reasonable, the actual impact will be much greater.

The Systems Rule has its own particular security requirements, but also incorporates a significant number of National Institute of Standards and Technology (NIST) Special Publications (SP), which are highly technical and burdensome.  In fact, one of the NIST SPs is NIST SP 800-53, of which CMMC implements only a part.  It also requires independent, annual assessments for some of the FIS.

Many contractors that will be subject to this rule are already subject to NIST SP 800-53, but not all.  NIST SP 800-53 continues to evolve as well, recently including privacy considerations.  Contractors can expect both the Systems Rule and the requirements it incorporates to continue increasing in complexity.

The Breach Rule

The Systems Rule appears to be broad; the Breach Rule certainly is.  And naming the rule as such undersells it.  The Breach Rule also includes the requirements on the Software Bills of Materials (SBOMs), which were called for in the Executive Order and are closer to fruition.

First, the breach notification portion.  This section of the Breach Rule requires a notification to CISA within 8 hours of the discovery that a security incident may have occurred, with updates every 72 hours.  This notification has a lower threshold, shorter timeframe, and more frequent updates than almost any other data breach notification requirement.  It also includes an 18-month data preservation clause, with a shorter time frame for system images.  It reads much like a wish list from CISA, as opposed to a workable notification regime.  Notifying the federal government of a data breach is a significant step for a contractor, and without some immunity in place, contractors will be reluctant to make a notification unless they are sure a data breach occurred.  To remedy this, there is a portion of the rule that requires a contractor affirm that it has submitted all breach reports required by its federal contracts each time it enters a new contract, which I am sure will be noted by the Department of Justice’s Cyber-Fraud Initiative.

Included in the Breach Rule, and unrelated to data breach notification, is a requirement for SBOMs.  This portion of the rule links to a Department of Commerce website with the actual standard.  The rule requires an SBOM for “each piece of computer software used in performance of the contract”, a breathtakingly broad requirement.  Much computer software will need to come with SBOMs.  But smaller commercial software vendors will have to induced to provide SBOMs, and developers targeting the federal government will need to add to their development process.  All in, the SBOM requirement will be a significant requirement for all government contractors.

Conclusion

These proposed rules have the potential to impose significant burdens on federal contractors, to say nothing of the additional False Claims Act implications of the Breach Rule (I’ll touch on those later).  Contractors should begin to closely review these proposed rules to understand their future obligations.  They should also take this opportunity to register their comments on the proposed rules with an eye to influencing the final rules.  Contractors that would like assistance with either understanding the rules or submitting comments designed to influence the final rules should contact one of our cybersecurity and data privacy experts.