Last October, the United States' Federal Acquisition Regulation (FAR) Council proposed two new rules, one of which that will influence cyber incident response practices. The scope is limited as it only applies to US federal government contractors, so the reach will not be as broad. However, those subject to the new rule will face major changes as liability broadens. It is crucial to monitor the progress of the rule becoming final and whether there are any substantive changes. Public comment closed on Feb. 2, 2024 and some suggestions or concerns expressed may influence the outcome.

Breakdown of Proposed Rules

In May 2021, President Biden issued the robust Executive Order on Improving the Nation’s Cybersecurity. It contained several provisions dedicated to modernising and instilling stronger federal cybersecurity standards. The FAR Council’s proposed rules align with this order and demonstrate the ongoing importance of cybersecurity in today’s digitally-fueled world. Below are some highlights for each, but as always, any contractor subject to these rules should review them in their entirety to understand all obligations and plan accordingly.

FAR Case No. 2021- 0019 narrowly applies to federal contactors providing or maintaining a Federal Information System. The goal is to standardise requirements for any unclassified systems. It mandates the inclusion of specific contract clauses for cloud-based systems and non-cloud systems such as those on premise. Each require broad indemnification and to waive all beneficial defences, thus opening up contractors to more liability.

FAR Case No. 2021-0017 would apply to the majority of federal contractors as it covers those using information and communication technology systems under their contract. Among other directives, this rule establishes stricter cyber incident reporting requirements and instructs contractors to develop a comprehensive software bill of materials. They must report security incidents within eight hours after discovering it via a specific reporting system. All reports must be updated every 72 hours until the eradication or remediation phases ends.

Agency power also extends under this rule. When a breach occurs, the contractor must grant the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and contracting agency full access to any compromised systems and personnel. CISA would also garner access to threat hunting and incident response activities.

Potential Effects

Overall, these rules add more layers to cyber compliance and are material to remaining eligible and receiving payment under the government contracts. The directives relating to cyber incident response are particularly striking as the timeframe and reporting burden greatly increases for the majority of federal contractors. To help ease the transition, preparation is key.

Here are four ways the new reporting requirements would affect cyber incident response practices:

• There would be another layer of expense to account for when budgeting for cybersecurity.
• This adds yet another set of requirements to the growing international regulation landscape. This can make compliance convoluted and difficult, so it is important to have the right resources in place to maintain proper processes and avoid violations.
• Requiring notice within eight hours is extremely fast. This can lead to contractors scrambling to meet the timeline and miss key facets of the incident. The early reporting and ongoing reporting requirements may hinder actual incident response as it is another thing to worry about when the sole focus should be on stopping the event and minimising the fallout.
• Many individuals affected by a breach are already reaching out to agencies like the FBI, leading to a high number of reports that the agency does not have the bandwidth to handle. This could very well mean that there will not be as much meaningful participation under FAR’s new directives. Again, this is not for lack of wanting to intervene but simply because there are too many incidents and not enough agency resources.

Once a cyber incident results in a data breach, reaching those affected needs to be done quickly, thoroughly, precisely, and reliably. Regulatory obligations add another box to check during this chaotic time. The proposed FAR rules send the message that the government recognises the importance of remaining cyber vigilant and will hold their contractors accountable. However, the complexity and time constraints imposed will add extra challenges they need to anticipate and instill processes around now to make things smoother in the event of an incident.

For now, it is important to note whether any proposed changes during the comment period materially affect the substance of the rules and when the final versions become effective. In the meantime, discuss with a consultant how to mitigate the risk of cyber incidents, bolster response efforts when one occurs, and expedite reporting. Doing so will foster better preparedness to comply with the rules and maintain government contracts.

The contents of this article are intended to convey general information only and not to provide legal advice or opinions.