The Biden administration is proposing a new standardized set of cybersecurity procurement requirements across the federal government for contractors that work with unclassified federal information systems.
This proposed rule would amend the Federal Acquisition Regulation (FAR) to include minimum requirements for cybersecurity contracts that involve federal information systems instead of leaving it up to agencies to set those requirements, according to a Tuesday notice in the Federal Register.
The contract requirements will differ for cloud-based and on-prem systems, which is outlined in the notice. Once the new requirements take effect, agencies would need to update their own requirements to remove any rules that are duplicative — but they could still require any additional rules that go beyond the baseline updates provided in the new FAR language.
Currently, the cybersecurity requirements for such contracts are based on agency-specific policies, which introduces risks including inconsistent security requirements across contracts, additional costs and restricted competition.
“By standardizing a set of minimum cybersecurity standards to be applied consistently to [federal information systems], the proposed rule would ensure that such systems are better positioned in advance to protect from cyber threats,” the notice states.
This change is a direct measure called for in the Biden administration’s landmark 2021 cybersecurity executive order. That required the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to review agency-specific cybersecurity requirements from across the government and then to “recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements” that would be proposed publicly for comment.
The notice Tuesday calls for the government to improve its efforts to identify, deter and respond to cyber threats while also ensuring that products are built and operated securely for a safer cyberspace.
“In the end, the trust the United States places in its digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences it will incur if that trust is misplaced,” the notice states.
It also highlights the recent explosive growth of malicious cybersecurity activity, adding that the threats that the nation faces are costly and predicting that with threats continuing to grow, it could cost $1 trillion over the next decade.
In 2018 the Council of Economic Advisors found that malicious cybersecurity activity cost the national economy somewhere between $57 billion and $109 billion. The administration in the notice also acknowledged that the cost of a single cyber incident to an individual company “can be crippling.”
“It also is essential that the Government—and its contractors—take a coordinated approach to complying with applicable security and privacy requirements, which are closely related, though they come from independent and separate disciplines,” the notice states.
Comments on the proposed rule will be accepted through Dec. 4.
The administration on Tuesday also issued a separate proposed rule to revise the FAR to increase information-sharing on cyber threats and incidents with technology providers.