The U.S.’s FAR-Reaching New Cybersecurity Rules for Federal Contractors
Forthcoming cybersecurity rules for federal contractors increase not only the requirements contractors have to follow but also the regulatory reach of federal agencies.
Published by The Lawfare Institute
in Cooperation With
In October 2023, the Federal Acquisition Regulation (FAR) Council proposed two new cybersecurity rules for federal contractors that sell or operate software for use by or on behalf of the federal government. These rules impose new requirements for cloud and non-cloud software systems that process government data and outline a framework for incident reporting and information sharing between private industry and the government. While the rules cover a lot of ground, two notable items stand out: first, mandated vendor compliance with the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Binding Operational Directives (BODs) and Emergency Directives (EDs) for non-cloud systems; and second, the expansion of required Federal Risk and Authorization Management Program (FedRAMP) compliance to cloud systems used by vendors on behalf of the federal government, not just those used by the government itself.
What’s Been Proposed, and Why Does It Matter?
The Federal Acquisition Regulation sets the rules of the road for government acquisitions, dictating how the government can make contracts with the private sector for everything from consulting services, to software systems, to military equipment. Its rules are set by a council that includes the Department of Defense, the National Aeronautics and Space Administration, and the General Services Administration.
The first rule proposed by the FAR Council, “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems,” outlines cybersecurity regulations for contractors who develop, implement, operate, or maintain a federal information system—which includes most hardware and software used by the government as well as cloud services. Coming nearly two years after the Biden administration’s May 2021 executive order, "Improving the Nation’s Cybersecurity,” this new rule would standardize cybersecurity requirements for federal contractors that were previously based on agency-specific policies and were often inconsistent from contract to contract.
The second rule, the ”Federal Acquisition Regulation: Cyber Threat and Incident Reporting and Information Sharing,” adds new requirements around incident reporting and information sharing to all contracts involving federally acquired information and communications technology. Among other mandates, the rule requires contractors to report cybersecurity incidents to the CISA within eight hours of discovery. It also requires contractors to provide access to their personnel and information systems upon request by the Federal Bureau of Investigation, the CISA, and the contracting agency following a security incident.
The adoption of these rules would expand the authority of the CISA and the FedRAMP Board to cover cybersecurity practices across contractors providing and running federal information systems and impose myriad other requirements, such as mandating that contractors develop and maintain software bills of materials (SBOMs) for all software used throughout a contract.
Implementing the rules would also widen the scope of cybersecurity practices vendors must undertake—increasing the volume of contracts against which the Department of Justice’s Civil Cyber Fraud Initiative (CCFI) might pursue cases of false claims if contractors fail to live up to their promises. Since the initiative was announced in 2021, the Justice Department has under the False Claims Act (FCA) brought a handful of claims against government vendors for misrepresenting their cybersecurity practices. Requiring contractors to disclose more information, such as in the case of a cyber incident, exposes contractors to greater liability risk under the FCA. And the standardization of these requirements across federal contracts may reduce the investigative burden on the Justice Department to prove that a contractor failed to meet its contractual cybersecurity obligations, in turn, making it easier for the department to expand its enforcement.
The period for public comment on the rules ends tomorrow, Feb. 2. Many of the comments submitted in response to the rules have focused on questions about a new proposed requirement for software vendors to provide software bills of materials. While this requirement is timely and important, two other, lower profile changes—requiring vendors to comply with the CISA’s directives (BODs and EDs) for non-cloud systems and expanding FedRAMP compliance to include vendor-operated cloud services—would also represent important steps forward: They would broaden the ambit and applicability of the cyber standards the federal government has set for itself. Paired with bolstered enforcement of legal liability for federal contractors' security practices flowing from the CCFI, these two FAR changes would expand the role of government agencies as regulators and overseers of cybersecurity practices across all systems used by or on behalf of the government.
CISA and Binding Operational and Emergency Directives
The CISA’s Binding Operational Directives and Emergency Directives span a wide variety of topics, from enhancing email security to mitigating critical vulnerabilities—like those that enabled the SolarWinds and Log4J attacks. Federal agencies must comply with these directives, but, by and large, the directives do not apply to the private sector—an arena that the CISA, generally, does not regulate (though it works in coordination with other sector-specific regulators that do). The relevant proposed rule, by requiring contractors who develop, operate, or maintain a federal information system to comply with such directives to the extent they are deemed applicable to that system, extends the CISA’s suggestions to a broader set of private-sector entities—which, if the rule goes into effect, will be required to adopt a variety of important practices.
For example, BOD 20-01 currently mandates the development and publication of a vulnerability disclosure policy (VDP). Encouraging vulnerability disclosure, a VDP clarifies how researchers can report vulnerabilities to an organization and how that organization will handle such reports—assuring researchers that good-faith security research is welcome. The CISA is responsible for tracking compliance with this directive within the federal government. This mandate would require federal contractors to develop and publish a VDP, an important step in promoting collaboration between researchers and the federal government.
Similarly, compliance with BOD 16-03, as mandated by the new FAR rule concerning BODs and EDs, would require contractors to report cybersecurity incidents (broadly defined as incidents threatening confidentiality, availability, or integrity of an information system) to the Department of Homeland Security through the United States Computer Emergency Readiness Team (US-CERT). The increased reporting would provide productive transparency and continue the trend toward positioning Homeland Security as a central repository for information about cyber incidents—as established by laws such as the Cyber Incident for Critical Infrastructure Act.
The new requirement for federal information technology contractors to comply with these directives therefore extends the reach of the CISA’s evolving rules and norms for robust cybersecurity, enabling the enforcement of a wide range of security practices and closing certain gaps that could have resulted in the storage of federal data on systems that did not meet federal information security standards. Notably, adopting these compliance requirements would also mandate that contractors comply with all future directives.
FedRAMP
The proposed FedRAMP-compliance policy prescribes that contractors can only use cloud systems approved through the FedRAMP in all contracts and solicitations involving federal information systems. Initially designed to aid federal agency procurement of secure cloud computing services, the FedRAMP standardizes the evaluation, authorization, and monitoring of cloud systems for federal use. This rule significantly expands the FedRAMP’s jurisdiction, as the FedRAMP Board would now oversee, manage, and control security requirements for the cloud computing services used by all federal contractors, in addition to the government. Importantly, the FedRAMP applies not only to the largest infrastructure-as-a-service cloud providers but also to cloud-hosted software-as-a-service products, an increasingly dominant paradigm in software delivery.
The FAR Council estimates that 280 federal contractors will be impacted by the new FedRAMP applicability requirements. What remains to be seen is the extent to which these contractors will switch to using preexisting FedRAMP-approved cloud services, or whether the requirements will trigger a rush of new requests for FedRAMP approval of the cloud services on which they already relied. The Office of Management and Budget’s recently proposed draft memorandum, “Modernizing the Federal Risk Authorization Management Program (FedRAMP),” echoes the new FAR rule, bringing contractors under the scope of the FedRAMP’s standards. The proposed memorandum’s new FedRAMP Board, and the process it would lead to update the FedRAMP authorization process, would provide an important opportunity to ensure the authorization process and its criteria are fit to meet the mandate of governing cloud security for the federal enterprise and its contractors alike.
The material impact of this expansion of FedRAMP application would ultimately come down to its implementation. If the updated FedRAMP standards are more robust than current cloud service provider (CSP) cyber practices, the FAR rule would drive the cybersecurity of the federal cloud ecosystem forward, closing significant loopholes that might previously have resulted in the storage of federal data on systems that have not been vetted to ensure compliance with federal-level cybersecurity standards. However, the effects of an empowered FedRAMP on the broader commercial cloud system will be realized only if CSPs adapt their commercial offerings to FedRAMP standards: Historically, many CSPs have bifurcated their cloud offerings between versions that comply with federal standards and those offered to the commercial market. If—as seems likely—CSPs continue to bifurcate their products into federal and commercial offerings, non-federal services will remain untouched by the FedRAMP standards and the spillover security consequences of this change on the security of commercial cloud offerings will be muted.
This new rule also intensifies debates over how best to modernize the FedRAMP’s risk-assessment process. One of the most pressing issues in this context regards how the process should address questions concerning cloud infrastructure designs. These concerns are notably at the fore given the recent design-related security flaw in Microsoft’s systems that enabled a malicious actor to access government emails; questions linger about whether the systems involved had been subject to FedRAMP oversight, which will hopefully be addressed by a forthcoming Cyber Safety Review Board review of the incident and cloud services more broadly. Another issue concerns how to robustly evaluate security considerations that may vary across different deployments of the same cloud product while still capturing the efficiency benefits created by the “presumption of adequacy”—which dictates that a FedRAMP-approved service can and should be used freely by different agencies after its initial approval. If FedRAMP requirements come to envelop a broader range of cloud systems, these questions about the adequacy of the current FedRAMPs certification processes for revealing design flaws and deployment-specific considerations will become only more urgent.
The inclusion of FedRAMP in the FAR rule signals the government’s intent to use FedRAMP as the predominant method for cloud risk management in government. It also serves as a proving ground for cloud risk-management measures that could be applicable beyond government. Lessons learned from how and whether expanded FedRAMP requirements meaningfully increase cloud security and reduce cloud risk for federal contractors would provide crucial information about how the government might seek to enhance private-sector cloud security in areas like critical infrastructure, which is increasingly reliant on cloud computing.
Conclusion
The proposed FAR rules would expand the scope of government cybersecurity requirements more broadly across the private sector, facilitating substantive changes to the relationship between the public and private sectors in cybersecurity. As the expansion of agency authority would enable the federal government to mandate extensive cybersecurity practices for its contractors, it would also bring to the surface salient issues in the current cybersecurity regulatory framework the government would need to address. These include, among others, the lack of unified cyber standards and legal requirements for cloud risk management applicable to the broader private sector.
The comment period will close tomorrow, after which the FAR Council will reevaluate the proposed regulations and amend the final version of the FAR. What will follow will most likely be a mass reorganization of agency-specific cyber requirements for federal contractors and the start of a potentially long and expensive compliance process, but one that, if the rules achieve their goals, will extend the government’s own cyber standards to its many private-sector partners.