Key points to remember

Upcoming changes to FAR and DFARS

Federal government agencies are required to provide recommendations for changes to the contractual requirements of the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) for information and communications technology service providers ( TIC). The changes will require ICT service providers under contract with the federal government to collect and retain data and information relating to cybersecurity incidents, quickly share this data directly with designated federal agencies, and cooperate with investigations and law enforcement agencies. responses to incidents on federal information systems. .

Federal government cybersecurity modernization

The federal government will move towards a zero trust architecture and secure cloud services in accordance with the standards and guidelines of the National Institute of Standards and Technology (NIST). To facilitate this transition to a cloud-based infrastructure, the Federal Risk and Authorization Management Program (FedRAMP) will develop and promulgate security principles governing cloud service providers (CSPs). Additionally, all federal agencies are required to adopt multi-factor authentication (MFA) and encryption for data at rest and in transit by November 3, 2021. While this requirement is currently limited to the federal government, the The ruling is not clear as to whether AMF and encryption will also apply to government data and Controlled Unclassified Information (CUI) residing on Defense Industrial Base (DIB) and other networks. subcontractors.

Software supply chain security

In view of the impact that the SolarWinds violation continues to have in several industries, this ordinance aims to implement more stringent measures to ensure the proper functioning and reliability of critical software. Over the next 30 days, NIST will work with representatives from the federal government, the private sector, and academia to develop criteria for evaluating the security practices of software developers, after which NIST will issue guidelines to improve software supply chain security. Among these guidelines, there will be a requirement for software developers to provide the federal government with a software nomenclature for all critical software. Once NIST releases its guidelines, federal agencies will have 30 days to comply. Within one year, the Department of Homeland Security (DHS) will make recommendations for amendments to the FAR to contractually oblige suppliers to comply with NIST guidelines. Any software that does not meet the NIST standard will be removed from federal government contracts and networks. NIST will publish further guidelines articulating minimum standards for developers testing their software source code.

Internet of things

NIST will develop criteria for a basic level of secure practices and an associated scoring scheme for IoT devices which will likely include parallels with Underwriters Laboratories (a third-party certification company).

Cyber ​​Security Review Committee

The ordinance creates the Cybersecurity Safety Review Board (CSRB). Like the National Transportation and Safety Board (NTSB), the CSRB will be made up of government officials and industry professionals who will review and assess significant cyber incidents. The Council’s first order of business is to review the SolarWinds breach and provide DHS with recommendations to improve cybersecurity and incident response.

Network logs

Over the next two weeks, the government will develop requirements for event logging, retention of relevant data, and encryption of activity logs on federal information systems – including those hosted and managed by third parties. This requirement will require third party vendors who maintain information systems used by the federal government to collect, maintain and provide network logs to the government.

summary

This ordinance represents more than a progressive step in cybersecurity – it is a significant shift towards modernization and an increased public-private partnership. He seeks to consolidate inconsistent policies across multiple agencies and standardize common cybersecurity contracting language to improve compliance for vendors and security for the federal government. For federal contractors and their subcontractors, a thorough understanding of the requirements of upcoming standards will be crucial. Companies should strive to determine whether these changes will affect their overall business strategy, responses to tenders, and current plans to comply with CMMC requirements.