The Federal Acquisition Regulatory (FAR) Council published two proposed rules on October 3, 2023, that would impose significant new cybersecurity obligations on government contractors, including requiring them to share information with the government about actual and imminent cyber incidents, provide software bills of materials (SBOMs) to government customers, and make representations about compliance that will create new False Claims Act (FCA) risks.

The proposed rules (FAR Case 2021-017 [Cyber Threat and Incident Reporting and Information Sharing] and FAR Case 2021-019 [Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems]) represent a substantial expansion of contract requirements related to cybersecurity and will affect large numbers of contractors, including commercial companies. They also present new risks of FCA enforcement activity related to cybersecurity—a priority of the U.S. Department of Justice (DOJ) under its Civil Cyber-Fraud Initiative launched in October 2021. The proposed rules are open to public comment through December 4, 2023.

In this Update, we summarize the FAR Council’s proposed rules and their significance.

Background: Executive Order 14028

By way of background, both proposed rules were issued pursuant to President Biden’s May 12, 2021, Executive Order 14028 (EO 14028), Improving the Nation’s Cybersecurity, which initiated a series of agency actions in response to the SolarWinds and other high-profile...

Read Full Story: https://news.google.com/rss/articles/CBMiS2h0dHBzOi8vd3d3Lmpkc3VwcmEuY29tL2xl...