On October 3, 2023, the FAR Council released two long-awaited proposed rules for federal contractor cybersecurity stemming from the Biden Administration’s Cybersecurity Executive Order from May 2021 (Executive Order 14028). The proposed rules relate to Cyber Threat and Incident Reporting and Information Sharing (FAR Case 2021-017) and Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems (FAR Case 2021-019). The comment period for both rules is currently open and is scheduled to close on December 4, 2023.Continue Reading Two New Cybersecurity Proposed Rules Mean Big Changes for Federal Contractors

In 2019, cybersecurity has become top-of-mind for most federal government contractors and agencies that share sensitive information.  In addition to updated Department of Defense guidance and procedures for evaluating contractors’ compliance with cybersecurity requirements, as well as an increase in Department of Defense cybersecurity audits, the Federal Acquisition Regulation (FAR) council also has promised a new FAR clause that will require compliance with NIST SP 800-171 security controls for civilian agency contractors that receive or create Controlled Unclassified Information (CUI).
Continue Reading “Internet of Things” Guidance to be Added to Cybersecurity Requirements for Agencies and Federal Contractors

By W. Bruce Shirk

We’ve previously complained about the FAR Council’s tendency to take too much time to issue rules that entail consideration of complex subject matter, as indicated, for example, by the 13 years during which the Council dallied before issuing final rules for commercial off the shelf items, discussed here.  Recent events suggest, however, that there may be good reason for the Council’s dilatory behavior because, as it turns out, when the Council does move quickly in response, say, to a legislative change, it tends to come up with the wrong answer.
 Continue Reading Who’s In Charge? The GAO, the FAR Council, and Jurisdiction Over Task Order Bid Protests