Government
,
Industry Specific
GSA Establishes Framework for Security Regulations Covering Federal Acquisitions
The federal government aims to streamline its information security and supply chain security procurement policies as part of an effort to bolster cyber defenses and better safeguard federal systems.
See Also: The True Cost of a Security Breach
The General Services Administration, NASA and the Department of Defense – the three federal agencies responsible for maintaining the extensive set of rules governing federal acquisition – published a final rule Monday establishing an entirely new component to the Federal Acquisition Regulation. FAR part 40 will contain the vast scope of policies and procedures for managing information security and supply chain security throughout the federal procurement process, according to the notice.
For now, the new section is just a placeholder. The agencies say they will later add policies and procedures for managing information security.
The rules surrounding information security and supply chain security are currently dispersed across the FAR, “which makes it difficult for the acquisition workforce to locate, understand, and implement applicable requirements,” the agencies wrote. FAR part 40 will establish a single, consolidated location where contracting officers can find and implement relevant requirements, as well as review security policies and procedures for agencies procuring goods and services.
The new part will house a broad range of security requirements across federal acquisitions, according to the final rule, including security regulations “designed to bolster national security” against cybersecurity supply chain risks and threats associated with foreign adversaries and emerging technologies. Other supply chain and information risks unrelated to security – such as those related to climate change, labor and human trafficking – will remain covered in separate parts of the FAR.
FAR part 40 will officially become established in May, while the relocation of existing security policies for supply chains and information security will be done through separate rule-making, the notice says.
The FAR amendment is required under the Biden’s administration’s 2021 cybersecurity executive order, which tasks agencies with improving their security posture and enhancing software supply chain integrity (see: Biden’s Cybersecurity Executive Order: 4 Key Takeaways). Security requirements related exclusively to information and communications technology acquisitions will continue to be covered in FAR part 39, which includes policies and procedures for agencies acquiring information technology systems.