New rule would set governmentwide cyber standards for contracts involving federal information systems

“By standardizing a set of minimum cybersecurity standards to be applied consistently to FISs, the proposed rule would ensure that such systems are better positioned in advance to protect from cyber threats,” the new rule states.
A server room with blue reflected light and some lights over the hall.
(Getty Images)

The Biden administration is proposing a new standardized set of cybersecurity procurement requirements across the federal government for contractors that work with unclassified federal information systems.

This proposed rule would amend the Federal Acquisition Regulation (FAR) to include minimum requirements for cybersecurity contracts that involve federal information systems instead of leaving it up to agencies to set those requirements, according to a Tuesday notice in the Federal Register.

The contract requirements will differ for cloud-based and on-prem systems, which is outlined in the notice. Once the new requirements take effect, agencies would need to update their own requirements to remove any rules that are duplicative — but they could still require any additional rules that go beyond the baseline updates provided in the new FAR language.

Currently, the cybersecurity requirements for such contracts are based on agency-specific policies, which introduces risks including inconsistent security requirements across contracts, additional costs and restricted competition. 


“By standardizing a set of minimum cybersecurity standards to be applied consistently to [federal information systems], the proposed rule would ensure that such systems are better positioned in advance to protect from cyber threats,” the notice states. 

This change is a direct measure called for in the Biden administration’s landmark 2021 cybersecurity executive order. That required the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to review agency-specific cybersecurity requirements from across the government and then to “recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements” that would be proposed publicly for comment.

The notice Tuesday calls for the government to improve its efforts to identify, deter and respond to cyber threats while also ensuring that products are built and operated securely for a safer cyberspace. 

“In the end, the trust the United States places in its digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences it will incur if that trust is misplaced,” the notice states. 

It also highlights the recent explosive growth of malicious cybersecurity activity, adding that the threats that the nation faces are costly and predicting that with threats continuing to grow, it could cost $1 trillion over the next decade.


In 2018 the Council of Economic Advisors found that malicious cybersecurity activity cost the national economy somewhere between $57 billion and $109 billion. The administration in the notice also acknowledged that the cost of a single cyber incident to an individual company “can be crippling.”

“It also is essential that the Government—and its contractors—take a coordinated approach to complying with applicable security and privacy requirements, which are closely related, though they come from independent and separate disciplines,” the notice states.

Comments on the proposed rule will be accepted through Dec. 4.

The administration on Tuesday also issued a separate proposed rule to revise the FAR to increase information-sharing on cyber threats and incidents with technology providers.

Caroline Nihill

Written by Caroline Nihill

Caroline Nihill is a reporter for FedScoop in Washington, D.C., covering federal IT. Her reporting has included the tracking of artificial intelligence governance from the White House and Congress, as well as modernization efforts across the federal government. Caroline was previously an editorial fellow for Scoop News Group, writing for FedScoop, StateScoop, CyberScoop, EdScoop and DefenseScoop. She earned her bachelor’s in media and journalism from the University of North Carolina at Chapel Hill after transferring from the University of Mississippi.

Latest Podcasts