Cybersecurity Update: A FAR Is Born

     Well, actually, a FAR Part, that is.

     On April 1, 2024, the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) published a Final Rule creating, for the first time in almost two decades, a new Part under FAR, titled Information Security And Supply Chain Security.  Whether the timing of the publication can be chalked up to a sardonic sensibility, we may never know.  But the implications of the new Part are no joking matter. 

     The sparsely worded Final Rule serves mostly as an announcement of what is to come, since the text of the new Part, for now, merely sets out its title, a general purpose statement, a list of other FAR Parts currently containing information security requirements (i.e., Parts 4, 24, 39, and 46), and several placeholder paragraphs.  So the Final Rule and the few provisions found in Part 40 contain no new policies, procedures, or requirements. 

     But as set out in the Final Rule’s preamble and in the regulation’s general purpose statement, FAR Part 40 is intended to consolidate, in one place, the information security requirements spread out in the FAR in order to make implementation and compliance with those requirements easier for government contractors and contracting officers.  Re-alignment of existing policies and procedures will come in separate rulemaking.

     Presumably, therefore, at some point in the near future the current requirements under Subpart 4.19 - Basic Safeguarding of Covered Contractor Information Systems, and its related FAR clause 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems will find a new home in Part 40.  And as we know, under DoD’s proposed Cybersecurity Maturity Model Certification (CMMC) Program for defense contractors, which is set out in a proposed DoD rule issued last December (described here) that creates a new part in DoD’s national security regulations, Level 1 CMMC certification requires compliance with all of the FAR 52.204-21 requirements.

     Thus, at this point, it would be reasonable for all civilian agency federal contractors to be wondering if a CMMC certification requirement or “CMMC-like” certification requirement looms on the horizon and might find its way into the new FAR Part 40.  Indeed, it seems indisputable that a disruption to the operations of civilian agencies like the Department of Treasury, Department of Homeland Security, Social Security Administration, and Federal Aviation Administration, to name a few, would pose a serious risk to national security.  For now, though, the question of whether civilian agency contractors should be held to different security requirements than their DoD counterparts remains lingering.

     In the meantime, federal government contractors should stay tuned for any updates to information security requirements under FAR - that Part 40 Final Rule was no April Fools joke.