[Federal Register Volume 88, Number 190 (Tuesday, October 3, 2023)]
[Proposed Rules]
[Pages 68402-68422]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-21327]
[[Page 68401]]
Vol. 88
Tuesday,
No. 190
October 3, 2023
Part IV
Department of Defense
-----------------------------------------------------------------------
General Services Administration
-----------------------------------------------------------------------
National Aeronautics and Space Administration
-----------------------------------------------------------------------
48 CFR Parts 1, 2, et al.
Federal Acquisition Regulation: Standardizing Cybersecurity
Requirements for Unclassified Federal Information Systems; Proposed
Rule
��Federal Register / Vol. 88, No. 190 / Tuesday, October 3, 2023 /
Proposed Rules��
[[Page 68402]]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 1, 2, 4, 7, 10, 11, 12, 37, 39 and 52
[FAR Case 2021-019; Docket No. FAR-2021-0019; Sequence No. 1]
RIN 9000-AO35
Federal Acquisition Regulation: Standardizing Cybersecurity
Requirements for Unclassified Federal Information Systems
AGENCY: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: DoD, GSA, and NASA are proposing to amend the Federal
Acquisition Regulation (FAR) to partially implement an Executive Order
to standardize cybersecurity contractual requirements across Federal
agencies for unclassified Federal information systems, and a statute on
improving the Nation's cybersecurity.
DATES: Interested parties should submit written comments to the
Regulatory Secretariat Division at the address shown below on or before
December 4, 2023 to be considered in the formation of the final rule.
ADDRESSES: Submit comments in response to FAR Case 2021-019 to the
Federal eRulemaking portal at https://www.regulations.gov by searching
for ``FAR Case 2021-019''. Select the link ``Comment Now'' that
corresponds with ``FAR Case 2021-019''. Follow the instructions
provided on the ``Comment Now'' screen. Please include your name,
company name (if any), and ``FAR Case 2021-019'' on your attached
document. If your comment cannot be submitted using https://www.regulations.gov, call or email the points of contact in the FOR
FURTHER INFORMATION CONTACT section of this document for alternate
instructions.
Instructions: Please submit comments only and cite ``FAR Case 2021-
019'' in all correspondence related to this case. Comments received
generally will be posted without change to https://www.regulations.gov,
including any personal and/or business confidential information
provided. Public comments may be submitted as an individual, as an
organization, or anonymously (see frequently asked questions at https://www.regulations.gov/faq). To confirm receipt of your comment(s),
please check https://www.regulations.gov, approximately two three days
after submission to verify posting.
FOR FURTHER INFORMATION CONTACT: For clarification of content, contact
Ms. Carrie Moore, Procurement Analyst, at (571) 300-5917 or by email at
[email protected]. For information pertaining to status, publication
schedules, or alternative instructions for submitting comments if
https://www.regulations.gov cannot be used, contact the Regulatory
Secretariat Division at 202-501-4755 or [email protected]. Please cite
FAR Case 2021-019.
SUPPLEMENTARY INFORMATION:
I. Background
DoD, GSA, and NASA are proposing to revise the FAR to provide
standardized cybersecurity contractual requirements across Federal
agencies for Federal information systems (FIS) by implementing: (1)
recommendations received in accordance with paragraph (i) of section 2
of Executive Order (E.O.) 14028, ``Improving the Nation's
Cybersecurity,'' dated May 12, 2021; and (2) paragraphs (a) and (b)(1)
of section 7 of the Internet of Things (IoT) Cybersecurity Improvement
Act of 2020 (Pub. L. 116-207). Other aspects of section 2 of E.O. 14028
are being implemented in FAR Case 2021-017, Cyber Threat and Incident
Reporting and Information Sharing. This rulemaking does not implement
Office of Management and Budget Memorandum M-22-18, Enhancing the
Security of the Software Supply Chain through Secure Software
Development Practices, issued September 14, 2022.
The United States faces persistent and increasingly sophisticated
malicious cyber campaigns that threaten the public and private sectors'
security and privacy. The Council of Economic Advisors estimates that
malicious cyber activity cost the U.S. economy between $57 billion and
$109 billion in 2016. With threats continuing to grow, this activity
could yield costs of more than $1 trillion over a decade. In addition
to the aggregate effect on the economy, the impact of a single cyber
incident to an individual company can be crippling. An October 2020
study from the Cybersecurity and Infrastructure Security Agency (CISA)
in the Department of Homeland Security (DHS), entitled ``Cost of a
Cyber Incident: Systematic Review and Cross-Validation,'' indicates
that the average per-incident cost to small businesses of less than 250
employees and medium-sized businesses of at least 250 employees, but
less than 1,000 employees, could range from $5,000 to $226,000, and
from $102,000 to $40 million for large businesses of 1,000 employees or
more.
The Government must improve its efforts to identify, deter, protect
against, detect, and respond to these actions. Contractors must be able
to adapt to the continuously changing threat environment, ensure
products are built and operate securely, and coordinate with the
Government to foster a more secure cyberspace. It also is essential
that the Government--and its contractors--take a coordinated approach
to complying with applicable security and privacy requirements, which
are closely related, though they come from independent and separate
disciplines. In the end, the trust the United States places in its
digital infrastructure should be proportional to how trustworthy and
transparent that infrastructure is, and to the consequences it will
incur if that trust is misplaced.
The Government has a responsibility to protect and secure its
computer systems, whether they are cloud-based, on-premises, or a
hybrid of the two. The scope of that protection and security must
encompass the systems that process data (e.g., information technology
(IT)) and those that run the vital machinery that ensures its safety
(e.g., operational technology (OT)). The Government contracts with IT
and OT service providers to conduct an array of day-to-day functions on
Federal Information Systems (FIS).
A FIS is an information system used or operated by an agency, by a
contractor of an agency, or by another organization, on behalf of an
agency. All FISs require protection as part of good risk management
practices. Agencies are responsible for determining what information
systems are FIS, in accordance with the definition provided in this
rule.
Currently, contractual requirements for the cybersecurity standards
of unclassified FISs are largely based on agency-specific policies and
regulations. The risks associated with agency-specific policies can
result in inconsistent security requirements across contracts, as well
as be unclear, add costs, and restrict competition.
To address these risks, paragraph (i) of section 2 of E.O 14028
requires the DHS Secretary, acting through the Director of CISA, to
review agency-specific cybersecurity requirements that currently exist
as a matter of law, policy, or contract and recommend to the FAR
Council standardized contract language for appropriate cybersecurity
[[Page 68403]]
requirements. Paragraph (j) of section 2 of E.O. 14028 then directs
that FAR Council to consider the contract language received from DHS
and publish for public comment any proposed updates to the FAR. This
proposed rule would implement the DHS recommendations across all
Federal agencies to streamline requirements and improve compliance for
contractors and the Government.
By standardizing a set of minimum cybersecurity standards to be
applied consistently to FISs, the proposed rule would ensure that such
systems are better positioned in advance to protect from cyber threats.
In addition, and as required by paragraph (k) of section 2 of E.O.
14028, upon issuance of a final rule, agencies shall update their
agency-specific requirements to remove any requirements that are
duplicative of such FAR updates.
II. Discussion and Analysis
This proposed rule provides cybersecurity policies, procedures, and
requirements for contractor services to develop, implement, operate, or
maintain a FIS. This rule underscores that compliance with these
requirements is material to eligibility and payment under Government
contracts.
A contract to develop, implement, operate, or maintain a FIS may
require contractors to utilize cloud computing services, services other
than cloud computing services (i.e., non-cloud computing services, also
known as on-premises computing services), or a hybrid of both
approaches when providing services under the contract. As such, this
rule specifies the policies, procedures, and requirements that apply to
each service approach (i.e., a FIS that uses non-cloud computing
services and a FIS that uses cloud computing services). When an
acquisition requires the use of both non-cloud computing services and
cloud computing services in performance of the contract, the rule would
require compliance with the policies, procedures, and requirements for
each service approach, as they respectively apply to the FIS.
This rule proposes to: (1) add a new FAR subpart 39.X, ``Federal
Information Systems,'' to prescribe policies and procedures for
agencies when acquiring services to develop, implement, operate, or
maintain a FIS; (2) add and revise definitions in parts 2 and 39.X
using current language from statute, regulation, Office of Management
and Budget memoranda and circulars, and National Institute of Standards
and Technology (NIST) Special Publications (SP) guidance; (3) make
conforming changes to parts 4, 7, 37, and 39 to further implement
policies and procedures described below; and (4) add two new FAR
clauses to be used in contracts for services to develop, implement,
operate, or maintain a FIS: FAR clause 52.239-YY, ``Federal Information
Systems Using Non-Cloud Computing Services,'' which is included in
solicitations and contracts that use non-cloud computing services in
performance of the contract; and FAR clause 52.239-XX, ``Federal
Information Systems Using Cloud Computing Services,'' which is included
in solicitations and contracts that use cloud computing services in
performance of the contract. The policies and requirements specified in
this rule are discussed below.
A. FISs Using Non-Cloud Computing Services
FIPS Publication 199 Impact Level and Mandatory Security and
Privacy Controls. As each requirement will vary in scope, as well as
the function of each FIS, adequate security and privacy controls must
be identified when agencies define their acquisition requirements.
Agencies will use Federal Information Processing Standard (FIPS)
Publication 199 to categorize the FIS based on its impact analysis of
the information processed, stored, or transmitted by the system. As a
result of the analysis, the FIPS Publication 199 impact level of the
FIS, as well as a set of necessary security and privacy controls for
the FIS, will be specified by the agency in the contract. As part of
the security and privacy controls identified by the agency, the rule
would require agencies to address multifactor authentication,
administrative accounts, consent banners, Internet of Things device
controls, and assessment requirements, when applicable, in every
applicable contract. The proposed rule adds text to FAR part 7 to
ensure that acquisition planners develop agency requirements in
accordance with the rule's requirements.
Records Management and Government Access. To assist the Government:
(1) in carrying out a program of inspection to safeguard against
threats and hazards to the security and privacy of Government data, or
(2) for the purpose of audits, investigations, inspections or similar
activities, paragraph (c) of the clause 52.239-YY would require
contractors to provide the Government's authorized representatives,
which includes CISA (for civilian agencies) as well as other Federal
agencies as specified by the contracting officer, with timely and full
access to Government data and Government-related data, timely access to
contractor personnel involved in performance of the contract, and
specifically for the purpose of audit, investigation, inspection, or
other similar activity, physical access to any contractor facility with
Government data including any associated metadata. If the contractor
receives a request for access from CISA, the contractor must confirm
the validity of the request by contacting CISA and notifying the
contracting officer in writing of the request for access.
Assessments. When a FIS is designated as a moderate or high FIPS
Publication 199 impact level, paragraph (d) of the clause 52.239-YY
would require contractors: (1) to conduct, at least annually, a cyber
threat hunting and vulnerability assessment to search for
vulnerabilities, risks, and indicators of compromise; and (2) to
perform to an annual, independent assessment of the security of each
FIS. Upon completion, contractors would submit the results of an
assessment, including any recommended improvements or risk mitigations,
to the contracting officer. The agency will review the results of the
assessment. The agency may require the contractor to implement the
recommended improvement or mitigation. The agency may provide the
contractor with a rationale for not requiring the contractor to
implement the recommendation or mitigation, and if so, the contractor
would document the agency's rationale in the System Security Plan
(SSP).
If the contractor contracts with a third-party assessment
organization to perform these assessments, contractors must enter into
a confidentiality agreement with the organization to protect Federal
data under the contract. To assist with mitigating any potential
conflicts of interest, the clause would also require contractors to
notify the contracting officer of any existing business relationships
the contractor may have with the organization.
Specification of Additional Security and Privacy Controls. Agencies
will also specify in the requirement the security and privacy controls
necessary for contract performance. In accordance with paragraph (e) of
the clause 52.239-YY, the controls specified by the agency will be
based on the current version of the following documents at the time of
contract award: NIST SP 800-53, ``Security and Privacy Controls for
Information Systems and Organizations;'' NIST SP 800-213 ``IOT Device
Cybersecurity Guidance for the Federal Government: Establishing IoT
Device Cybersecurity Requirements;'' NIST SP 800-161, ``Cybersecurity
[[Page 68404]]
Supply Chain Risk Management Practices for Systems and Organizations;''
and NIST SP 800-82, ``Guide to Industrial Control Systems Security.''
Paragraph (e) also requires contractors to: (1) develop, review, and
update, if appropriate, an SSP to support authorization of all
applicable FIS, and (2) have contingency plans for all information
technology systems, aligned to NIST SP 800-34, ``Contingency Planning
Guide for Federal Information Systems.'' The rule does not require a
specific format for the SSP, but NIST SP 800-34 provides information on
a template that contractors may choose to use. Contractors will be
expected to provide a copy of the SSP, as well as make contingency
plans available, to an agency upon request.
In some situations, an information system may be designated as a
high value asset by the agency. In accordance with paragraph (e) of the
clause 52.239-YY, contractors will be subject to, as specified in the
requirement, additional security and privacy controls for a high value
asset, that could include the implementation of a high value asset
overlay, immediate failover and/or recover plans, and complying with
requisite cybersecurity assessments (e.g., contractor cooperation and
allowing access).
Additional considerations. For each non-cloud FIS developed,
implemented, operated, or maintained, paragraph (f) of the clause
52.239-YY requires contractors to apply NIST SP guidance on various
topics when performing or managing certain activities related to the
FIS, including: managing information system risk when supporting agency
risk management activities; developing risk management processes;
conducting and communicating the results of risk assessments; designing
zero trust architecture approaches; considering security when executing
within the context of systems engineering; selecting, adapting, and
using cyber resiliency constructs for new systems, system upgrades, or
repurposed systems; implementing continuous monitoring strategies for
FISs; and implementing digital identity services and requirements.
Further, paragraph (f)(7) requires contractors to provide the
Government with a copy of their continuous monitoring strategy for the
FIS that demonstrates an ongoing awareness of information security,
vulnerabilities, and threats in order to support risk management
decisions, and applies the use of automation, wherever possible;
protects vulnerability scan data, logs, and telemetry; and applies the
guidance of NIST SP 800-137, ``Information Security Continuous
Monitoring (ISCM) for Federal Information Systems and Organizations.''
Cyber supply chain risk management. Paragraph (g) of the clause
52.239-YY advises that contractors may implement alternative,
additional, or compensating cyber supply chain risk management security
controls from those stated in the contract, when authorized in writing
to do so by the contracting officer.
Notifiable incident reporting, incident response, and threat
reporting. Paragraph (h) of the clause 52.239-YY reminds contractors
that they must refer to FAR clause 52.239-ZZ, ``Incident and Threat
Reporting and Incident Response Requirements for Products or Services
Containing Information and Communications Technology'' (see FAR case
2021-017), for guidance on handling security incident and cyber threat
reporting.
Other protections. Paragraph (i) of the clause 52.239-YY specifies
the limitations on contractor access to, use, and disclosure of
Government data, Government-related data, and metadata under the
contract, and requires contractors to notify the contracting officer of
any requests from an entity other than the contracting activity
(including warrants, seizures, or subpoenas the contractor receives
from another Federal, State, or local agency) for access to Government
data, Government-related data, or any associated metadata. The clause
also notifies contractors that they must also comply with applicable
clauses, regulations, and laws regarding unauthorized disclosure.
Cryptographic Key Services. When providing cryptographic key
services under the contract, paragraph (j) of the clause 52.239-YY
requires contractors to provide the agency with applicable key material
and services; however, the Government reserves the right to implement
and operate its own cryptographic key services under the contract.
Operational Technology Equipment List. Paragraph (k) of the clause
52.239-YY requires contractors to develop and maintain a list of the
physical location of all operational technology equipment included
within the boundary for the non-cloud FIS and provide a copy to the
Government, upon request. While the proposed rule does not specify a
format for the operational technology equipment list, contractors must
ensure that the list includes enough information about the equipment to
positively locate and track any movement of the equipment during
contract performance, including details on password protection and the
ability for remote access to the equipment.
Binding Operational Directives and Emergency Directives. Paragraph
(l) of clause 52.239-YY advises that contractors must comply with
Binding Operational Directives (BODs) and Emergency Directives (EDs)
issued by CISA that have specific applicability to a FIS used or
operated by a contractor. A list of BODs and EDs can be found at
https://www.cisa.gov/directives. Occasionally, a BOD or ED with an
explicit applicability to a FIS used or operated by a contractor will
not need to apply to a contract. In such situations, the contracting
officer will identify, in paragraph (l)(2) of the clause, any such BODs
or EDs that are not applicable to the contract.
Indemnification. Paragraph (m) of the clause 52.239-YY indemnifies
the Government from any liability that arises out of the performance of
the contract and is incurred because of the contractor's introduction
of certain information or matter into Government data or the
contractor's unauthorized disclosure of certain information or
material. The paragraph serves as a waiver of defense to change the
analysis from negligence, which is the defense, to strict liability,
which doesn't allow for a defense. The paragraph also provides terms
and requirements in the event of a claim or suit against the Government
for such an unauthorized disclosure or introduction of data or
information. The proposed text was taken from industry terms of service
agreements for cloud services providers.
Subcontracts. Paragraph (n) of the clause 52.239-YY advises
contractors that the substance of the clause must be included in any
subcontracts issued under the contract that are for services to
develop, implement, operate, or maintain a FIS using non-cloud
computing services.
Prohibition on IoT Devices. The rule also implements a portion of
the ``Internet of Things Cybersecurity Improvement Act of 2020'' (Pub.
L. 116-207), which prohibits agencies from procuring or obtaining,
renewing a contract to procure or obtain, or using an IoT device if the
agency's Chief Information Officer determines in certain situations
that the use of such a device prevents compliance with NIST SP 800-213.
The rule advises contracting officers at 39.X03-1(b) of the prohibition
and how the prohibition may be waived by the head of the agency if
certain criteria are met.
B. FIS Using Cloud Computing Services
When acquiring services to develop, implement, operate, or maintain
a FIS
[[Page 68405]]
using cloud computing services, agencies will identify the FIPS
Publication 199 impact level and the corresponding Federal Risk and
Authorization Management Program (FedRAMP) authorization level for all
applicable cloud computing services in the contract.
Safeguards, controls, and maintenance of certain systems within the
United States. Paragraph (c) of the clause 52.239-XX requires
contractors to implement and maintain the security and privacy
safeguards and controls in accordance with the FedRAMP level specified
by the agency, engage in continuous monitoring activities, and provide
continuous monitoring deliverables as required for FedRAMP approved
capabilities. More information on these deliverables can be found in
the ``FedRAMP Continuous Monitoring Strategy Guide'' at https://www.fedramp.gov/assets/resources/documents/CSP_Continuous_Monitoring_Strategy_Guide.pdf.
Additionally, paragraph (c) specifies that, when a system is
categorized as having FIPS Publication 199 high impact, contractors
must maintain within the United States or its outlying areas (see FAR
2.101) all Government data that is not physically located on U.S.
Government premises, unless otherwise specified in the contract.
Government data. Paragraph (f) of the clause 52.239-XX requires
contractors to provide and dispose of Government data and Government-
related data in the manner and format specified in the contract.
Contractors must also provide confirmation to the contracting officer
that such data has been disposed of in accordance with contract
closeout procedures.
Other protections. Similar to the requirements for non-cloud FISs
in clause 52.239-YY, the clause 52.239-XX: (1) at paragraph (c),
reserves the Government's right to implement and operate its own
cryptographic key services under the contract; (2) at paragraph (d),
specifies the limitations on contractor access to, use, and disclosure
of Government data and Government-related data under the contract; (3)
at paragraph (e), requires contractors to handle security incident and
cyber threat reporting in accordance with proposed FAR clause 52.239-
ZZ; (4) at paragraph (f), specifies the terms for the Government's
authorized representatives' access to Government and Government-related
data, contractor personnel, and contractor facilities; (5) at paragraph
(g), requires contractors to notify the contracting officer of any
requests from a third-party (including another Federal, State, or local
agency) for access to Government data and Government-related data; (6)
at paragraph (h), requires contractors to indemnify the Government from
any liability that arises out of the performance of the contract
because of the contractor's introduction of certain information or
matter into Government data or the contractor's unauthorized disclosure
of certain information or material; and (7) at paragraph (i), specifies
when to include the substance of the clause in subcontracts.
III. Applicability to Contracts at or Below the Simplified Acquisition
Threshold (SAT) and for Commercial Products (Including Commercially
Available Off-the-Shelf (COTS) Items) or for Commercial Services
This rule applies section 7 of the Internet of Things Cybersecurity
Improvement Act of 2020 (15 U.S.C. 278g-3e) to acquisitions valued at
or below the SAT because of the ``notwithstanding section 1905'' in 15
U.S.C. 278g-3e(a)(2) which applies the Act to such acquisitions. This
rule also applies to acquisitions for commercial products, including
COTS items, and commercial services because Government data and systems
require protection regardless of dollar value or commerciality of the
product or service.
To implement paragraphs (a) and (b)(1) of section 7 of the Act,
this rule adds a new policy at FAR 39.X02-1(b), Prohibited IoT devices
in Federal information systems. The policy prescribed at FAR 39.X02-
1(b) applies when agencies are acquiring IoT devices.
A. Applicability to Contracts at or Below the Simplified Acquisition
Threshold
41 U.S.C. 1905 governs the applicability of laws to acquisitions at
or below the SAT. Section 1905 generally limits the applicability of
new laws when agencies are making acquisitions at or below the SAT, but
provides that such acquisitions will not be exempt from a provision of
law under certain circumstances, including when the FAR Council makes a
written determination and finding that it would not be in the best
interest of the Federal Government to exempt contracts and subcontracts
in amounts not greater than the SAT from the provision of law. At the
time of the final rule the FAR Council does not intend to make a
determination to apply 15 U.S.C. 278g-3e to acquisitions at or below
the SAT because paragraph (a)(2) of 15 U.S.C. 278g-3e expressly states
that it applies to acquisitions in amounts not greater than the SAT;
therefore, no additional determination is necessary under 41 U.S.C.
1905.
B. Applicability to Contracts for the Acquisition of Commercial
Products and Commercial Services, Including Commercially Available Off-
the-Shelf (COTS) Items
41 U.S.C. 1906 governs the applicability of laws to contracts for
the acquisition of commercial products and commercial services, and is
intended to limit the applicability of laws to contracts for the
acquisition of commercial products and commercial services. Section
1906 provides that if the FAR Council makes a written determination
that it is not in the best interest of the Federal Government to exempt
commercial item contracts, the provision of law will apply to contracts
for the acquisition of commercial products and commercial services.
41 U.S.C. 1907 states that acquisitions of COTS items will be
exempt from certain provisions of law unless the Administrator for
Federal Procurement Policy makes a written determination and finds that
it would not be in the best interest of the Federal Government to
exempt contracts for the procurement of COTS items.
At the time of the final rule the FAR Council intends to make a
determination to apply 15 U.S.C. 278g-3e to acquisitions for commercial
products and commercial services. At the time of the final rule, the
Administrator for Federal Procurement Policy intends to make a
determination to apply 15 U.S.C. 278g-3e to acquisitions for COTS
items.
C. Determination(s)
This rule applies to acquisitions for commercial products,
including COTS items, and commercial services, because Government data
and systems require protection regardless of dollar value or
commerciality of the product or service.
IV. Expected Impact of the Rule
The Government anticipates that this rule will reduce
administrative costs for contractors interested in providing services
to develop, implement, operate, or maintain a FIS. Over time, the FAR
Council anticipates this proposed rule, once finalized, will increase
competition by establishing a common set of policies and procedures
that apply to FISs.
Establishing uniform requirements for the Government and
contractors regarding FISs will significantly assist the Government in
protecting Federal information and systems from malicious cyber
campaigns that threaten the public and private sectors' security and
[[Page 68406]]
privacy. Currently, contract requirements for the cybersecurity
standards of unclassified FISs are largely based on agency-specific
policies and regulations, which can lead to inconsistent security
requirements across contracts and unclear, inconsistent, or overly
restrictive guidance to contractors. This rule will provide a more
consistent and streamlined implementation of cybersecurity standards
across the Federal Government.
A. Affected Entities
This rule proposes two new contract clauses for use when acquiring
services to develop, implement, operate, or maintain a FIS.
Specifically, the contracting officer will include--
The clause at FAR 52.239-YY, Federal Information Systems
Using Non-Cloud Computing Services, in solicitations and contracts that
use or may use non-cloud computing services in performance of the
contract; and
The clause at FAR 52.239-XX, Federal Information Systems
Using Cloud Computing Services, in solicitations and contracts that use
or may use cloud computing services in performance of the contract.
According to subject matter experts, there are approximately 140
non-cloud FISs currently being operated or maintained by contractors on
behalf of the Government. For this estimate, the Government
conservatively assumes that the services for each of these non-cloud
FISs are awarded on individual contracts and that each contract is
awarded to a unique entity. It is assumed that each of these contracts
have a five-year period of performance, and that the Government evenly
awards the estimated 140 contracts over a five-year period (20 percent
each year). Therefore, the Government estimates it awards 28 contracts
((20 percent * 140 non-cloud FISs) * 1 contract/FIS) to 28 unique
contractors (28 contracts = 28 unique entities) annually for the
development, implementation, operation, or maintenance of a non-cloud
FIS on behalf of the Government.
According to FedRAMP data and subject matter experts, there are
approximately 280 unique FedRAMP-authorized and ready cloud service
offerings available to the Federal Government. For this estimate, the
Government will award approximately 280 contracts for cloud services
impacted by this rule over a five-year period (20 percent each year).
Based on the number of FedRAMP-authorized offerings, the Government
estimates that there are approximately 56 new or revised FIS offerings
(20 percent * 280 cloud service offerings) each year for which the
Government contracts. For this estimate, the Government assumes: the
number of new or revised FIS offerings the Government contracts for
each year is equivalent to the number new FIS impacted by this rule
annually; one service provider is responsible for executing all the
requirements of this rule for a FIS; and that each FIS is being
serviced by a different contractor. Therefore, the Government estimates
that 56 unique entities will be awarded a contract annually for the
development, implementation, operation, or maintenance of a cloud FIS
on behalf of the Government.
Based on the input of subject matter experts, the Government
further estimates that:
Of the 28 contractors that will be awarded a contract each
year to operate or maintain a non-cloud FIS, approximately three (10
percent) are small businesses and 25 (90 percent) are other than small
businesses.
Of the 56 contractors that will be awarded a contract each
year to operate or maintain a cloud FIS, approximately three (five
percent) are small businesses and 53 (95 percent) are other than small
businesses.
B. Contractor Compliance Requirements and Estimate of Cost
The total estimated annualized public costs associated with this
FAR rule over a ten-year period (calculated at a 7-percent discount
rate) are approximately $55 million annually, or $388 million in net
present value, based on the discussion in paragraphs IV.B.1. through
IV.B.7 below.
The following compliance requirements in FAR clause 52.239-YY and
52.239-XX are considered new to the FAR for all Federal contractors
that develop, implement, operate, or maintain a FIS using cloud or non-
cloud computing services, as applicable:
1. Regulatory Familiarization
The new FAR clauses are prescribed for use in solicitations and
contracts for services to develop, implement, operate, or maintain a
FIS. It is expected that all 84 contractors (28 non-cloud FIS
contractors + 56 cloud FIS contractors) awarded a contract annually for
these services will need, to some degree, to become familiar with the
various compliance requirements of the FAR, as well as the requisite
and applicable NIST SP guidelines, FIPS Publication standards, CISA
BODs and EDs, and FedRAMP requirements, to be prepared to implement and
maintain the cybersecurity standards and requirements for a FIS in
performance of a Federal contract. It is assumed that most contractors
will be familiar with, to some degree, some or all these documents.
Offerors will also need to be familiar with these requirements
before submitting a proposal to provide such services. For each of the
84 contractors that receive a contract annually for these services, the
Government estimates that, on average, two other offerors, or a total
of 168 offerors (84 contractor awards * 2 unsuccessful offerors) will
familiarize themselves with the clause requirements, submit a proposal,
but will not receive a contract award.
As a result, it is expected that all 252 (84 contractors + 168
offerors) of these contractors and offerors will be required to become
familiar with the various compliance requirements of the rule.
It is estimated that it will take each offeror or contractor eight
hours, on average, to review the rule and gain a basic understanding
these new requirements. The average wage rate of a contractor employee
is estimated to be $57.28 per hour, which is the average of the mean
wages reported by the Bureau of Labor Statistics (BLS) for various
occupational categories that design, analyze, maintain, and oversee
information systems for an organization. A factor of 42 percent, based
on the BLS Employer Costs for Employee Compensation Summary dated March
17, 2023 (https://www.bls.gov/news.release/ecec.nr0.htm), is applied to
the average wage rate to account for total employee benefits paid for
by the employer ($57.28 * 1.42 = $81.34), and a factor of 12 percent is
then applied to the rate of $81.34 to account for employer overhead,
which results in a loaded rate of $91.10 ($81.34 * 1.12) for FIS
occupations.
Therefore, the estimated cost for 252 contractors and offerors to
familiarize themselves with the rule in year one is approximately
$183,700 (252 contractors and offerors * 8 hours/entity * $91.10/hour).
The cost accounts for the time needed to comprehend the text of the
rule, as well as locate and generally review the requirements within
each of the cited documents in the rule.
2. Compliance With NIST Guidelines
All 28 contractors that develop, implement, operate, or maintain a
FIS using non-cloud computing services are required by paragraphs (e)
and (f) of the new clause 52.239-YY to use or apply various NIST SP
guidelines for managing risk, security, and privacy, as applicable. The
extent to which each of these guidance documents needs to be
implemented by a contractor depends
[[Page 68407]]
on many variables, including: the extent to which the guidance is
already implemented in the contractor's existing practices; the scope
and requirements of each contract; the knowledge and expertise of the
contractor's employees; the manner in which a contractor chooses to
implement a requirement; and the resources and tools available to the
contractor in performing the contract.
Based on the discussion in paragraphs IV.B.2.i. through IV.B.2.x.
below, the total annual estimated cost for 28 contractors, as
applicable, awarded a contract to develop, implement, operate, or
maintain an existing or custom-build, non-cloud FIS on behalf of the
Government, to comply with NIST guidelines in year one is approximately
$19.6 million, and approximately $12 million each subsequent year for
annual maintenance to remain compliant with existing NIST guidelines.
The cost for complying with NIST guidelines accounts for the time
it takes contractors to closely read through the documents, analyze the
requirements against the current state and identify any necessary
changes, and implement and document the change, as needed.
i. NIST SP 800-53. The effort and resources a contractor will
expend to comply with NIST SP 800-53 will also vary depending on
whether the affected FIS is an existing system or a system that will be
custom built to Government specifications.
Existing systems already implement some of the guidelines required
by the clause or their implementation has been accepted by the
Government, while custom-built systems have no pre-existing controls in
place and will require a greater amount of effort and resources to be
compliant with the clause. The Government estimates that of the 28
contractors annually awarded a contract to develop, implement, operate,
or maintain a non-cloud FIS, approximately six contractors (20 percent)
are awarded a contract involving a custom-build system, while the
remaining 22 contractors (80 percent) are awarded a contract involving
an existing system.
Contractors awarded a contract involving an existing non-cloud FIS
are anticipated to expend between 2,300 and 6,500 hours and $218,000
and $683,000 in labor and materials in year one to implement, and
between $127,000 and $478,000 each following year to maintain
compliance with NIST SP 800-53. The cost and effort to implement and
maintain compliance will vary by contractor depending on various
factors, including: the complexity of the information system; the
availability of employees with the requisite knowledge and skills to
implement the necessary controls; the need to install hardware or
software, and the chosen solution, as well as the number of users
impacted, the types of devices used, and the complexity of the
contractor's network.
Contractors awarded a contract involving a custom build non-cloud
FIS will expend between 3,000 and 7,300 hours and between $308,000 and
$976,000 in labor and materials in year one to implement, and between
$126,000 and $478,000 each following year to maintain compliance with
NIST SP 800-53. The cost and effort to maintain compliance will vary by
contractor based on the factors discussed above.
ii. NIST SP 800-213. This document provides high level guidance
that refers readers to other NIST SP documents addressed in this rule.
Contractors may reference this guidance when their contracts involve
IoT devices. As such, the Government assumes that a small percentage of
the 28 contractors awarded a contract involving a non-cloud FIS, whose
contract also involves IoT devices, may refer to this publication for
direction to more detailed policy and guidance regarding the devices;
However, the Government does not anticipate contractors expending
significant effort reading and familiarizing themselves with the
publication and considers these costs to be de minimis.
iii. NIST SP 800-39. NIST SP 800-39 identifies the Government's
risk management responsibilities related to information systems. All
contractors awarded a contract involving a non-cloud FIS will need to
be aware of the requirements of the publication to adequately support
the non-cloud FIS on behalf of the Government. As such, the Government
assumes all 28 contractors awarded a contract involving a non-cloud FIS
will expend effort to read and become more familiar with the
publication. It is estimated that a contractor will expend
approximately 4 hours reading NIST SP 800-39 in year one to become more
familiar with its contents. Using an average loaded wage rate of $91.10
for FIS occupations, the total estimated labor cost for a contractor to
comply with NIST SP 800-39 is approximately $370(4 hours * $91.10).
iv. NIST SP 800-37. Contractors will reference this guidance to
develop a high-level process to manage system risk through preparation,
categorization, control selection, control implementation and
assessment, system authorizations, and continuous monitoring. This
guidance applies to contracts involving a custom-build system. As such,
the Government assumes all 6 contractors awarded a contract involving a
custom-build, non-cloud FIS will expend effort to comply with this
guidance.
It is estimated that, in year one, a contractor will expend
approximately 8 hours reading and ensuring the processes they develop
incorporate the high-level guidance of NIST SP 800-37. Using an average
loaded wage rate of $91.10 for FIS occupations, the total estimated
labor cost for a contractor to comply with NIST SP 800-37 is
approximately $730 (8 hours * $91.10).
v. NIST SP 800-207. Contractors will reference this guidance when
designing a zero-trust architecture approach for a system. This
guidance applies to contracts involving a custom-build system; However,
this document is very high level and applies to custom-build
requirements in limited circumstances. For these reasons, the
Government does not anticipate most contractors needing to read and
familiarize themselves with the publication, as its application is
unlikely in most custom-build contracts and, in such circumstances, any
time spent reviewing the guidance will be very minimal.
vi. NIST SP 800-160, Volume 1. This guidance applies to contracts
involving a custom-build system. Contractors will reference the current
version of this guidance for considerations, concepts, tasks, and
activities to be taken when designing a system. As such, the Government
assumes all 6 contractors awarded a contract involving a custom-build,
non-cloud FIS will expend effort to read and familiarize themselves
with the publication and make any requisite adjustments to their
security design process to be compliant with the guidance.
It is estimated that a contractor will expend approximately 40
hours reading to become more familiar and adjusting the FIS design
process to comply with NIST SP 800-160 Volume 1 in year one. Using an
average loaded wage rate of $91.10 for FIS occupations, the total
estimated labor cost for a contractor to comply with NIST SP 800-160
Volume 1 is approximately $3,600 (40 hours * $91.10).
vii. NIST SP 800-160, Volume 2. When requested by the Government,
contractors will reference the current version of this guidance to
select, adapt, and use cyber resiliency constructs for new systems,
system upgrades, or repurposed systems. This guidance applies to
contracts involving a custom-build system. As such, the Government
assumes all 6 contractors awarded a
[[Page 68408]]
contract involving a custom-build, non-cloud FIS will expend effort to
read and become more familiar with the publication.
It is estimated that a contractor will expend approximately 16
hours reading NIST SP 800-160 Volume 2 to become more familiar with its
requirements in year one. Using an average loaded wage rate of $91.10
for FIS occupations, the total estimated labor cost for a contractor to
comply with NIST SP 800-160 Volume 2 is $1,500(16 hours * $91.10).
viii. NIST SP 800-30. Contractors will reference the current
version of this guidance to develop and ensure existing processes
prepare for, conduct, communicate results from, and maintain risk
assessments over time. This guidance is applicable to all contracts
involving a custom-build system, as these processes will need to be
developed for those FIS, as well as some contracts involving existing
systems where current processes need to be modified to comply with the
guidance. As such, the Government assumes all 6 contractors awarded a
contract involving a custom-build, non-cloud FIS, and 4 (20 percent *
22) contractors awarded a contract involving an existing, non-cloud FIS
will expend effort to read and better familiarize themselves with the
publication and develop new or adapt existing processes to the guidance
of NIST SP 800-30.
Some contractors awarded a contract involving a non-cloud FIS will
reference NIST SP 800-30 to develop and ensure risk assessment
processes and procedures for the system incorporate the requirements of
the publication. It is estimated that all 6 contractors awarded a
contract involving a non-cloud, custom-build FIS, as well as 4
contractors (20 percent) awarded a contract involving an existing non-
cloud FIS will expend approximately 120 hours (3 employees * 8 hours/
day * 5 days) reading to become more familiar with and developing or
adjusting processes and procedures to comply with NIST SP 800-30 in
year one. Using an average loaded wage rate of $91.10 for FIS
occupations, the total estimated labor cost for a contractor to comply
with NIST SP 800-30 is approximately $10,900 (120 hours * $91.10).
ix. NIST SP 800-63-3. Contractors may reference the current version
of this guidance for more specific information regarding NIST SP 800-53
controls. As such, the Government assumes that the 28 contractors
awarded a contract involving a non-cloud FIS will read and better
familiarize themselves with this publication in conjunction with and as
a part of their familiarization efforts and costs for NIST SP 800-53.
x. NIST SP 800-34. Contractors will reference the current version
of this guidance to align its contingency plans for all IT systems to
the requirements of NIST SP 800-34. This guidance will be applicable to
all contracts involving a custom-build system, as these plans will need
to be developed for when a new non-cloud FIS is being designed, as well
as some contracts involving existing systems where current plans need
to be modified to comply with the guidance. As such, the Government
assumes all 6 contractors awarded a contract involving a custom-build,
non-cloud FIS and 4 (20 percent * 22) of the contractors awarded a
contract involving an existing, non-cloud FIS will expend effort to
read and better familiarize themselves with the publication and develop
new or adapt existing plans to the guidance of NIST SP 800-34.
Some contractors awarded a contract involving a non-cloud FIS will
reference this guidance when developing new contingency plans for
custom-build FISs and reviewing plans for some existing FISs to ensure
the contractor's IT systems meet the requirements set forth in NIST SP
800-34. It is estimated that all 6 contractors awarded a contract
involving a non-cloud, custom-build FIS, as well as 4 (20 percent)
contractors awarded a contract involving an existing non-cloud FIS will
expend approximately 120 hours (3 employees * 8 hours/day * 5 days)
reading to become more familiar with and developing or adjusting plans
to comply with NIST SP 800-34 in year one. Using an average loaded wage
rate of $91.10 for FIS occupations, the total estimated labor cost for
a contractor to comply with NIST SP 800-34 is $10,900(120 hours *
$91.10).
3. Annual Assessments of the FIS
Paragraph (d) of the new clause 52.239-YY requires a contractor
that develops, implements, operates, or maintains a FIS using non-cloud
computing services and that FIS is designated as a moderate or high
FIPS Publication 199 impact, to perform an annual, independent
assessment of the security of each FIS, which includes an architectural
review and penetration testing of the FIS. The contractor must also
conduct, at least annually, cyber threat hunting and vulnerability
assessment to search for cybersecurity risks, vulnerabilities, and
indicators of compromise. Contractors are required to provide the
contracting officer with the results of both assessments, including any
recommended improvements or risk mitigations identified for the FIS. If
the Government chooses not to require the contractor to implement a
recommended improvement or risk mitigation and provides the contractor
with a rationale for not implementing the recommendation, the
contractor is required to document the Government's rationale for not
implementing the recommendation in the contractor's system security
plan.
Of the 140 non-cloud FISs currently being operated or maintained by
contractors on behalf of the Government, the Government estimates that
approximately 95 percent of those systems are designated as moderate or
high FIPS 199 impacts. Applying that percentage to the estimated number
of contractors annually awarded a contract to develop, implement,
operate, or maintain a non-cloud FIS, it is estimated that 27
contractors (95 percent * 28 contractors) will be subject to the annual
assessment requirements.
Based on the discussion in paragraphs IV.B.3.i. through IV.B.3.iii.
below, the total annual estimated cost for 27 contractors that operate
or maintain a non-cloud FIS designated as a moderate or high FIPS 199
impact to comply with the annual assessment requirements of the rule is
approximately $6.6 million (27 contractors * ($112,000 + $132,000 +
$182)). The cost of the annual assessments accounts for the time it
takes contractors to prepare for, conduct, document, review, and submit
an assessment.
i. Annual Independent Architectural Review and Penetration Test.
This annual assessment includes an architectural review of the FIS, as
well as penetration testing of the system. Based on the input of
subject matter experts, the Government estimates the annual cost for a
contractor to obtain an independent security assessment and
architectural review of a FIS is approximately $52,000.
The Government estimates that four senior level employees will
expend a total of 320 hours (4 individuals * 8 hours * 10 days) to
complete the penetration testing of a FIS. According to subject matter
experts, the average loaded wage rate of for a penetration tester is
$250.00. The Government estimates the annual cost for a contractor to
obtain independent penetration testing of a FIS is $80,000 (320 hours *
$250).
Together, the annual cost to a contractor to obtain an independent
assessment of the security of a FIS is approximately $132,000 ($52,000
+ 80,000).
ii. Cyber Threat Hunting and Vulnerability Assessment. The
[[Page 68409]]
Government estimates that four senior level employees will expend a
total of 448 hours (4 individuals * 8 hours * 14 days) to complete
cyber threat hunting and the vulnerability assessment of a FIS. Using
an average loaded wage rate of $250.00 for a cyber threat hunter/
vulnerability assessor, the Government estimates the annual cost for a
contractor to conduct a cyber threat hunting and vulnerability
assessment of a FIS is approximately $112,000 (448 hours * $250).
iii. Submission of Assessments. The Government estimates a
contractor will spend one hour preparing and submitting each assessment
to the Government. Using an average loaded wage rate of $91.10 for FIS
occupations, the total annual estimated cost for a contractor that
operates or maintains a non-cloud FIS designated as a moderate or high
FIPS 199 impact to submit both assessments to the Government is
approximately $182 (1 hour * 2 responses * $91.10).
4. Submission of a Continuous Monitoring Strategy
Paragraph (f)(7) of the new clause 52.239-YY requires a contractor
that develops, implements, operates, or maintains a non-cloud FIS to
provide the Government with a continuous monitoring strategy for the
FIS (as developed under NIST SP 800-53) that demonstrates an ongoing
awareness of information security, vulnerabilities, and threats in
order to support risk management decisions, and applies the use of
automation, wherever possible; protects vulnerability scan data, logs,
and telemetry; and applies the guidance of NIST SP 800-137,
``Information Security Continuous Monitoring (ISCM) for Federal
Information Systems and Organizations.''
All 28 contractors awarded a contract involving a non-cloud FIS
will be required to develop or update their continuous monitoring
strategy to meet the requirements of this rule. Many contractors will
have developed a continuous monitoring strategy to comply with the
guidance in NIST 800-53; however, those plans may need to be revised to
demonstrate a continuous monitoring strategy. The Government estimates
a contractor will spend, on average, 160 hours developing and/or
documenting a continuous monitoring strategy, revising their existing
strategy, as needed, and submitting the strategy to the Government.
Using an average loaded wage rate of $91.10 for FIS occupations, the
total annual estimated cost for a contractor that operates or maintains
a non-cloud FIS to submit a continuous monitoring strategy to the
Government is approximately $14,600 (160 hours * $91.10).
Based on the information above, the total annual estimated cost for
28 contractors that design, develop, operate, or maintain a non-cloud
FIS to comply with the requirement for a continuous monitoring strategy
in year one is approximately $408,000 (28 contractors * 160 hours *
$91.10). The cost of the continuous monitoring strategy accounts for
the time needed to analyze, develop, and document a strategy or review
an existing strategy and make revisions, and prepare and submit the
strategy to the Government.
5. Develop and Maintain a List of Operational Technology Equipment
Paragraph (k) of the new clause 52.239-YY requires all contractors
that develop, implement, operate, or maintain a FIS using non-cloud
computing services to develop and maintain a list of the physical
location and other pertinent data on all of the operational technology
(OT) equipment included within the boundary of the FIS. Contractors
must provide the Government with a copy of the current and/or
historical lists, upon request. All 28 contractors awarded a contract
involving a non-cloud FIS will be required to develop, submit, and
maintain a list of OT equipment.
The Government estimates that a contractor will expend
approximately 80 hours developing the list in year one, and 40 hours
updating and maintaining the list each year thereafter. Using an
average loaded wage rate of $91.10 for FIS occupations, the annual
estimated cost for a contractor that operates or maintains a non-cloud
FIS to develop a list of OT equipment is approximately $7,300 (80 hours
* $91.10), and approximately $3,600 to maintain the list thereafter.
It is estimated that the Government will annually request 6 (20
percent * 28 contractors) contractors provide a copy of the OT
equipment list to the Government. It is estimated that a contractor
will spend one hour preparing and submitting the list to the
Government. Using an average loaded wage rate of $91.10 for FIS
occupations, the total annual estimated cost for contractors to submit
the OT equipment lists to the Government is approximately $550 (6
contractors * 1 hours * $91.10).
Based on the discussion above, the total annual estimated cost for
28 contractors that develop, implement, operate, or maintain a non-
cloud FIS to develop the required OT equipment list in year one is
approximately $204,000 (28 contractors * 80 hours * $91.10), and
approximately $102,000 (28 contractors * 40 hours * $91.10) each
following year to maintain the list annually. The cost accounts for the
time needed to identify the requisite equipment, gather the required
data, and document or update the information.
6. Binding Operational Directives and Emergency Directives
Paragraph (l) of the new clause 52.239-YY requires all contractors
that develop, implement, operate, or maintain a FIS using non-cloud
computing services to comply with any BODs or EDs issued by CISA that
have a specific applicability to a FIS used or operated by a
contractor. All 28 contractors awarded a contract involving a non-cloud
FIS will be required to comply with CISA BODs and EDs. Currently, there
are approximately 15 BODs and 10 EDs posted on CISA's cybersecurity
directives website. The Government anticipates that contractors have
already implemented all or some of the requirements of all or some BODs
or EDs, as part of their company's cybersecurity health. As a result,
the Government estimates that the requirements of approximately half of
the BODs, or 8 BODS, and EDs, or 5 EDs, will still need to be
implemented by a contractor because of this rule in year one. The
Government estimates that approximately 3 new BODs or EDs will be
issued, and need to be implemented by contractors, in each following
year.
The requirements of the BODs and EDs vary in depth, scope, and
complexity depending on the topic and issue being addressed. For this
reason, subject matter experts estimate that, on average, it costs a
contractor $10,000 to implement a new BOD or ED. As a result, the total
annual estimated cost for a contractor that operates or maintains a
non-cloud FIS to implement existing CISA BODs and EDs in year one is
approximately $130,000 (13 x $10,000), and approximately $30,000 to
implement new BODs or EDs issued each following year.
Based on the discussion above, the total annual estimated cost for
28 contractors that develop, implement, operate, or maintain a non-
cloud FIS to implement the requirements of CISA BODs and EDs in year
one is approximately $3,640,000 (28 contractors * 13 BODs and EDs *
$10,000), and approximately $840,000 (28 contractors * 3 BODs & EDs *
$10,000) each following year to maintain the list annually. The cost
accounts for the time needed to identify
[[Page 68410]]
and implement the requisite requirements, as well as any material cost.
7. FedRAMP Cloud Computing Security and Privacy Requirements
The new clause 52.239-XX requires contractors that develop,
implement, operate, or maintain a FIS using cloud computing services to
implement and maintain security and privacy safeguards and controls for
the system in accordance with the FedRAMP level specified in the
contract, as well as certain requirements on multifactor
authentication, administrative accounts, and consent banners specified
in the contract. All 56 contractors awarded a contract to develop,
implement, operate, or maintain a cloud FIS on behalf of the Government
will expend effort and resources to be compliant with cloud computing
security requirements at the FedRAMP level specified in the contract
and certain requirements specified in the contract.
FedRAMP safeguards and controls are based upon the requirements of
NIST SP 800-53 and specify the requirements that must be met for a
cloud offering depending on the designation of the information system
as a low, moderate, or high FIPS 199 impact level, which then equates
to a single FedRAMP impact level. Based on a survey of the FedRAMP
Marketplace website, most of the FedRAMP-authorized cloud service
providers offer solutions designated as moderate FedRAMP impact level;
Therefore, the Government bases the effort and resources needed to
implement the requirements of FAR clause 52.239-XX on a cloud FIS
designated as a FedRAMP moderate impact level.
The safeguards and controls required to meet a FedRAMP moderate
impact level include and build upon the NIST SP 800-53 requirements for
existing non-cloud FIS systems. As such, the rule uses the costs to
implement NIST SP 800-53 for non-cloud FIS as a starting point and then
accounts for the additional costs and impacts for contractors to
implement approximately 16 additional NIST SP 800-53 controls, which
are not required for non-cloud FISs, to be compliant with FedRAMP
moderate impact level requirements. Subject matter expects estimate
that the effort to implement these 16 additional controls, and those
requirements for multifactor authentication, administrative accounts,
and consent banners, is approximately 25 percent of the total estimated
hours and cost to implement NIST SP 800-53.
Therefore, contractors awarded a contract involving a cloud FIS are
anticipated to expend between 2,900 (2,300 hours * 1.25) and 8,200
hours (6,500 hours * 1.25) and $273,000 ($218,000 * 1.25) and $854,000
($683,000 * 1.25) in labor and materials in year one to implement, and
between $158,000 ($127,000 * 1.25) and $598,000 (478,000 * 1.25) each
following year to maintain compliance with NIST SP 800-53 and the
contract requirements on multifactor authentication, administrative
accounts, and consent banners.
Based on the discussion above, the total annual estimated cost for
56 contractors that develop, implement, operate, or maintain a cloud
FIS to maintain compliance with FedRAMP requirements, and the
requirements specified in the contract as identified above, in year one
is approximately $46 million, and approximately $32,000,000, each
following year to maintain compliance with FedRAMP requirements and the
contract, as specified. The cost of the compliance includes the time
needed to read and implement NIST SP 800-53 requirements, as well as
the additional NIST SP 800-53 controls needed to be compliant with
FedRAMP and the contract requirements regarding multifactor
authentication, administrative accounts, and consent banners.
The following is a summary of the total initial and subsequent year
costs to the public as described in section IV.
----------------------------------------------------------------------------------------------------------------
Estimated
Number of Estimated total cost--
Requirement entities total cost-- each
impacted first year subsequent
year
----------------------------------------------------------------------------------------------------------------
Regulatory Familiarization...................................... 252 $183,700 N/A
Compliance with NIST Guidelines................................. 28 19,600,000 12,000,000
Annual Assessments.............................................. 27 6,600,000 6,600,000
Continuous Monitoring Strategy.................................. 28 408,000 N/A
Develop and Maintain OT List.................................... 28 204,000 102,000
Binding Operational Directives and Emergency Directives......... 28 3,640,000 840,000
FEDRamp Compliance.............................................. 53 46,000,000 32,000,000
-------------------------------
Totals...................................................... .............. 76,635,700 51,543,000
----------------------------------------------------------------------------------------------------------------
C. Government Compliance Requirements
The total estimated annualized costs to the Government associated
with this FAR rule over a ten-year period are approximately $136,000
(calculated at a 7-percent discount rate).
The following specific compliance requirements related to FAR
clause 52.239-XX and 52.239-YY are tasks for the Government:
1. Review and Analyze Annual Assessments
The Government must review and analyze each of the 54 assessments
provided by contractors annually (see 39.X03(c)) and provide a
recommendation to the contractor to implement, or a rationale for not
implementing, each recommendation in the contractor's assessments.
It is estimated that a General Schedule (GS) 15/step 5 employee
will spend 20 hours reviewing, analyzing, and drafting recommendation
responses for each assessment. The wage rate of a GS 15/step 5 employee
is $74.35 per hour, according to the Office of Personnel Management
(OPM) 2023 GS Locality Pay Table for the rest of the United States
(https://www.opm.gov/policy-data-oversight/pay-leave/salaries-wages/salary-tables/pdf/2023/RUS_h.pdf). A factor of 36.25 percent, based on
OMB M-08-13, Update to Civilian Position Full Fringe Benefit Cost
Factor, is applied to the average wage rate to account for total
employee benefits paid for by the Government ($74.35 * 1.3625 =
$101.30), and a factor of 12 percent is then applied to the rate of
$101.30 to account for overhead, which results in a loaded rate of
$113.46 ($101.30 * 1.12).
Based on the discussion above, the total annual estimated cost for
the Government to review, analyze, and
[[Page 68411]]
respond to 54 annual assessment submissions each year is approximately
$122,537 (54 responses * 20 hours * $113.46).
2. Review List of Operational Technology Equipment
Upon submission, the Government must review approximately six lists
of OT equipment submitted by contractors each year (see 39.X03(k)).
It is estimated that a GS 15/step 5 employee will spend 20 hours
reviewing, analyzing, and processing a contractor's submission. Using
an average loaded wage rate of $113.46 for GS Schedule 15/step 5
employees, the total annual estimated cost for the Government to
review, analyze, and file six OT equipment list submissions each year
is approximately $13,615 (6 responses * 20 hours * $113.46).
3. Review Continuous Monitoring Strategy
Upon submission, the Government must review approximately 28
continuous monitoring strategies provided by contractors each year (see
39.X03(f)). It is estimated that a GS 15/step 5 employee will spend 20
hours reviewing, analyzing, and processing a contractor's submission.
Using an average loaded wage rate of $113.46 for GS 15/step 5
employees, the total annual estimated cost for the Government to
review, analyze, and file 28 continuous monitoring strategy submissions
each year is approximately $63,538 (28 responses * 20 hours * $113.46).
V. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
This rule is a significant regulatory action under E.O. 12866, and
therefore, was subject to review under Section 6(b) of E.O. 12866,
Regulatory Planning and Review, dated September 30, 1993.
VI. Regulatory Flexibility Act
DoD, GSA, and NASA do not expect this proposed rule, when
finalized, to have a significant economic impact on a substantial
number of small entities within the meaning of the Regulatory
Flexibility Act, 5 U.S.C. 601-612, because the rule applies to a small
number of entities that develop, implement, operate, or maintain a FIS
on behalf of the Government. However, an Initial Regulatory Flexibility
Analysis (IRFA) has been performed and is summarized as follows:
DoD, GSA, and NASA are proposing to amend the Federal
Acquisition Regulation (FAR) to implement standardized cybersecurity
contractual requirements across Federal agencies for unclassified
Federal Information Systems (FIS) pursuant to recommendations
received in accordance with paragraph (i) of section 2 of E.O.
14028, ``Improving the Nation's Cybersecurity,'' dated May 12, 2021.
The objective of this rule is to implement standardized
cybersecurity requirements in Federal contracts for services to
develop, implement, operate, or maintain a FIS on behalf of the
Government. This rule will help protect and secure FISs, while
streamlining the cybersecurity requirements for applicable contracts
and improving contractor and Federal compliance with cybersecurity
requirements for these systems. The legal basis for this rule is
paragraph (i) of section 2 of Executive Order 14028, ``Improving the
Nation's Cybersecurity,'' dated May 12, 2021; and paragraphs (a) and
(b)(1) of section 7 of the Internet of Things (IoT) Cybersecurity
Improvement Act of 2020 (Pub. L. 116-207). Promulgation of FAR
regulations is authorized by 40 U.S.C. 121(c); 10 U.S.C. chapter 4
and 10 U.S.C. chapter 137 legacy provisions (see 10 U.S.C. 3016);
and 51 U.S.C. 20113.
This proposed rule will impact small businesses awarded a
contract to develop, implement, operate, or maintain a FIS on behalf
of the Government. The Government acknowledges that large businesses
awarded a contract for such services may further subcontract some of
the services that are subject to the requirements of the clauses. As
such, the Government estimates that up to an additional seven small
business entities may receive a subcontract to develop, implement,
operate, or maintain a FIS under a prime contract for the same
services.
The responsibilities prescribed to contractors under this rule
apply per FIS, not per contractor or subcontractor. Multiple
entities will not be responsible for implementing or executing the
same requirement for the same FIS; As such, the Government describes
the impact of this rule on small business under the assumption that
each of the responsibilities described below will be subcontracted
to a small business at least once annually.
According to subject matter experts, there are approximately 140
non-cloud FISs currently being operated or maintained by contractors
on behalf of the Government. The Government estimates it awards 28
contracts ((20 percent * 140 non-cloud FISs) * 1 contract/FIS) to 28
unique contractors (28 contracts = 28 unique entities) annually for
the development, implementation, operation, or maintenance of a non-
cloud FIS on behalf of the Government. Of the 28 contractors to be
awarded a contract each year to operate or maintain a non-cloud FIS,
approximately three (28 contractors * 10 percent) are small
businesses.
According to FedRAMP data and subject matter experts, there are
approximately 280 unique FedRAMP-authorized and ready cloud service
offerings available to the Federal Government. Based on the number
of FedRAMP-authorized offerings, the Government estimates that there
are approximately 56 new or revised FIS offerings (20 percent * 280
cloud service offerings) each year for which the Government
contracts. Therefore, the Government estimates that 56 unique
entities to be awarded a contract annually for the development,
implementation, operation, or maintenance of a cloud FIS on behalf
of the Government, of which approximately three (56 contractors *
five percent) are small businesses.
The proposed rule requires contractors awarded a contract or
subcontract to develop, implement, operate, or maintain a FIS to
read and become familiar with the rule, as well as review the
applicable standards documents identified in the rule. The proposed
rule also requires contractors awarded a contract or subcontract to
develop, implement, operate, or maintain a FIS using other than
cloud computing services (i.e., ``non-cloud FIS'') to: (1) Develop
and maintain a list of the physical location of all operational
technology (OT) equipment included within the boundary of the non-
cloud FIS; (2) When requested by the Government, submit a copy of
the OT equipment list to the Government; (3) Submit a copy of their
continuous monitoring strategy for the FIS; and (4) For FISs
categorized as FIPS Publication 199 moderate or high security
impact, submit the results of: an annual independent assessment of
the security of the FIS, and an annual cyber threat hunting and
vulnerability assessment.
A. Regulatory Familiarization and Standards Document Reviews
It is estimated that approximately all six small business
entities, and up to seven small business subcontractor entities,
awarded a contract to design, implement, operate, or maintain a FIS
on behalf of the Government will need to become familiar with the
various compliance requirements of the new clauses 52.239-YY or
52.239-XX, as well as review any applicable standards documents, to
be prepared to develop, implement, operate, or maintain a cloud and/
or non-cloud FIS, as applicable.
B. Develop and Submit OT Equipment List
It is estimated that approximately three small business
entities, and up to seven small business subcontractor entities,
will be awarded a contract or subcontract annually to develop,
implement, operate, or maintain a non-cloud FIS. Each of these
entities, will be required to develop, maintain, and submit a list
of OT equipment for the duration of the contract. The list must
include: (1) the identification and location of any controllers,
relays, sensors, pumps, actuators, Open Platform Communications
Unified Architecture devices, and other industrial control system
devices, as well as all the IP
[[Page 68412]]
addresses assigned to the different hardware components, used in
performance of the contract; (2) An explanation of whether the
device is password protected and, if so, whether it can be changed,
(3) an explanation of whether the device is accessible remotely; and
(4) whether multi-factor authentication is present and enabled. The
location information in the list must include enough detail to
affirmatively locate the OT equipment, when necessary, and track any
movement of such equipment during performance of the contract. It is
estimated that one of these three small business entities, and up to
seven small business subcontractor entities, will be asked to submit
the OT equipment list to the Government each year.
To develop and maintain the list of OT equipment, a small
business will need at least one employee within an information
system occupation series (e.g., computer system analyst, information
security analyst, system administrator, network architect) to
identify the requisite devices used in performance of the contract,
track the location of such devices as changes occur, and update and
modify the OT equipment list as necessary.
C. Submit Continuous Monitoring Strategy
All three small business entities, and up to seven small
business subcontractor entities, awarded a contract annually to
develop, implement, operate, or maintain a non-cloud FIS will be
required to submit a copy of their continuous monitoring strategy
for the FIS that demonstrates an ongoing awareness of information
security, vulnerabilities, and threats in order to support risk
management decisions, and applies the use of automation, wherever
possible; protects vulnerability scan data, logs, and telemetry; and
applies the guidance of NIST SP 800-137, ``Information Security
Continuous Monitoring (ISCM) for Federal Information Systems and
Organizations.'' A small business will need at least one employee
within an information system occupation series (e.g., computer
system analyst, information security analyst, system administrator,
network architect) to review and submit the continuous monitoring
strategy.
D. Submit Annual Assessments
Of the 140 non-cloud FISs currently being operated or maintained
by contractors on behalf of the Government, the Government estimates
that approximately 95 percent of those systems are designated as
moderate or high FIPS 199 impacts. Applying that percentage to the
estimated number of contractors annually awarded a contract to
develop, implement, operate, or maintain a non-cloud FIS, it is
estimated that 27 contractors (95 percent * 28 contractors), of
which 2 are estimated to be small business, will be subject to the
annual assessment requirements.
These two small business entities, and up to seven small
business subcontractor entities, will be awarded a contract with a
FIS designated as moderate or high FIPS Publication 199 impact and
be required to submit the results of the two annual assessments to
the Government. The assessment of the security of the FIS must be an
independent assessment that is not conducted by the contractor. The
cyber threat hunting and vulnerability assessment may be completed
by the contractor. A small business must submit the results of both
assessments, including any recommended improvements or risk
mitigations identified for the FIS, to the Government. A small
business will need at least one employee within an information
system occupation series to review and submit the annual assessments
to the Government, as well as implement any recommended solutions
resulting from the assessments. If an entity chooses to conduct the
cyber threat hunting and vulnerability assessment on their own, the
entity will need at least one subject matter expert in cyber threat
hunting and vulnerability assessment, as well as experience with
system assessment, analysis, and audit.
This rule proposes to standardize common cybersecurity
contractual requirements across Federal agencies. To do so, E.O.
14028 required a review of agency-specific cybersecurity
requirements that currently exist as a matter of law, policy, or
contract to form the recommendation for the standardized contract
language proposed in this rule. As a result, this rule may
duplicate, overlap, or conflict with existing agency-specific
cybersecurity contract clauses. Section 2. Paragraph (k) of the E.O.
resolves the issue of duplication, overlap, or conflict by requiring
agencies, upon final publication of this rule, to update their
agency-specific cybersecurity requirements to remove any
requirements that are duplicative of this rule. There are no known
significant alternative approaches to the proposed rule.
The Regulatory Secretariat Division has submitted a copy of the
IRFA to the Chief Counsel for Advocacy of the Small Business
Administration. A copy of the IRFA may be obtained from the Regulatory
Secretariat Division. DoD, GSA, and NASA invite comments from small
business concerns and other interested parties on the expected impact
of this rule on small entities.
DoD, GSA, and NASA will also consider comments from small entities
concerning the existing regulations in subparts affected by the rule in
accordance with 5 U.S.C. 610. Interested parties must submit such
comments separately and should cite ``5 U.S.C. 610 (FAR Case 2021-
019)'', in correspondence.
VII. Paperwork Reduction Act
The Paperwork Reduction Act (44 U.S.C. 3501-3521) applies because
the proposed rule contains information collection requirements.
Accordingly, the Regulatory Secretariat Division has submitted a
request for approval of a new information collection requirement
concerning Standardizing Cybersecurity Requirements for Unclassified
Federal Information Systems to the Office of Management and Budget.
A. Public Reporting Burden for This Collection of Information
1. Submit Annual Assessment of FIS
Public reporting burden for this collection of information is
estimated to average 1 hour per response, including the time for
reviewing instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing the
collection of information.
The annual reporting burden estimated as follows:
Respondents/Recordkeepers: 27.
Total Annual Responses: 54.
Total Burden Hours: 54.
This estimate is based on two responses per respondent.
2. Maintain and Submit a List of Operational Technology Equipment
The public recordkeeping burden for this collection of information
is estimated to annually require one recordkeeper who spends 80 hours
per contract to maintain the list:
Recordkeepers: 28.
Total annual records: 28.
Total recordkeeping burden hours: 2,240.
The public reporting burden for this collection of information is
estimated to average 1 hour per response to review and submit the list.
The annual reporting burden is estimated as follows:
Respondents: 6.
Total Annual Responses: 6.
Total Burden Hours: 6.
This estimate is based on one response per respondent.
3. Submit Continuous Monitoring Strategy
Public reporting burden for this collection of information is
estimated to average 160 hours per response to develop, document,
review, and submit the strategy. The annual reporting burden is
estimated as follows:
Respondents: 28.
Total Annual Responses: 28.
Total Burden Hours: 4,480.
This estimate is based on one response per respondent.
B. Request for Comments Regarding Paperwork Burden
Submit comments on this collection of information no later than
December 4, 2023 through https://www.regulations.gov and follow the
instructions on the site. All items submitted must cite OMB Control No.
9000-XXXX, Standardizing Cybersecurity Requirements for
[[Page 68413]]
Unclassified Federal Information Systems. Comments received generally
will be posted without change to https://www.regulations.gov, including
any personal and/or business confidential information provided. To
confirm receipt of your comment(s), please check https://www.regulations.gov, approximately two to three days after submission
to verify posting. If there are difficulties submitting comments,
contact the GSA Regulatory Secretariat Division at 202-501-4755 or
[email protected].
Public comments are particularly invited on:
The necessity of this collection of information for the
proper performance of the functions of Federal Government acquisitions,
including whether the information will have practical utility;
The accuracy of the estimate of the burden of this
collection of information;
Ways to enhance the quality, utility, and clarity of the
information to be collected; and
Ways to minimize the burden of the collection of
information on respondents, including the use of automated collection
techniques or other forms of information technology.
Requesters may obtain a copy of the supporting statement from the
General Services Administration, Regulatory Secretariat Division by
calling 202-501-4755 or emailing [email protected]. Please cite OMB
Control Number 9000-XXXX, Standardizing Cybersecurity Requirements for
Unclassified Federal Information Systems, in all correspondence.
List of Subjects in 48 CFR Parts 1, 2, 4, 7, 10, 11, 12, 37, 39,
and 52
Government procurement.
William F. Clark,
Director, Office of Government-wide Acquisition Policy, Office of
Acquisition Policy, Office of Government-wide Policy.
Therefore, DoD, GSA, and NASA propose amending 48 CFR parts 1, 2,
4, 7, 10, 11, 12, 37, 39, and 52 as set forth below:
0
1. The authority citation for 48 CFR parts 1, 2, 4, 7, 10, 11, 12, 37,
39, and 52 continues to read as follows:
Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 4 and 10 U.S.C.
chapter 137 legacy provisions (see 10 U.S.C. 3016); and 51 U.S.C.
20113.
PART 1--FEDERAL ACQUISITION REGULATIONS SYSTEM
0
2. In section 1.106 amend in the table following the introductory text,
by adding in numerical order, entries for ``52.239-XX'' and ``52.239-
YY'' and its corresponding OMB control No. ``9000-XXXX'' to read as
follows:
1.106 OMB approval under the Paperwork Reduction Act.
* * * * *
------------------------------------------------------------------------
OMB control
FAR segment No.
------------------------------------------------------------------------
* * * * *
52.239-XX.................................................. 9000-XXXX
52.239-YY.................................................. 9000-XXXX
* * * * *
------------------------------------------------------------------------
PART 2--DEFINITIONS OF WORDS AND TERMS
0
3. Amend section 2.101, in paragraph (b)(2) by--
0
a. In the definition of ``Component'', removing from the end of
paragraph (3) the word ``and''; removing from the end of paragraph (4)
``52.225-23(a).'' and adding ``52.225-23(a); and'' in its place; and
adding a new paragraph (5);
0
b. Removing the definitions ``Federally-controlled information system''
and ``Information and communication technology (ICT)'';
0
c. Adding in alphabetical order the definitions ``Federal information
system'', ``Government data'', ``Information'', ``Information and
communications technology (ICT)'', and ``Information system'';
0
d. In the definition of ``Information technology'', revising paragraph
(3)(ii); and
0
e. Adding in alphabetical order the definitions ``Internet of Things
(IoT) devices'', ``Operational technology'', ``Telecommunications
equipment'', and ``Telecommunications services''.
The revisions and additions read as follows:
2.101 Definitions.
* * * * *
(b) * * *
(2) * * *
Component * * *
* * * * *
(5) Subpart 39.X, see the definition in 39.X01.
* * * * *
Federal information system--
(1) Means an information system (44 U.S.C. 3502(8)) used or
operated by an agency, by a contractor of an agency, or by another
organization, on behalf of an agency;
(2) On behalf of an agency as used in this definition, means when a
contractor uses or operates an information system or maintains or
collects information for the purpose of processing, storing, or
transmitting Government data, and those activities are not incidental
to providing a service or product to the Government (32 CFR part 2002).
* * * * *
Government data means any information, (including metadata),
document, media, or machine-readable material regardless of physical
form or characteristics that is created or obtained by the Government,
or a contractor on behalf of the Government, in the course of official
Government business.
* * * * *
Information, as used in subparts 4.19 and 39.X, means any
communication or representation of knowledge such as facts, data, or
opinions in any medium or form, including textual, numerical, graphic,
cartographic, narrative, electronic, or audiovisual forms (see Office
of Management and Budget (OMB) Circular No. A-130, Managing Information
as a Strategic Resource).
Information and communications technology (ICT) means information
technology and other equipment, systems, technologies, or processes,
for which the principal function is the creation, manipulation,
storage, display, receipt, or transmission of electronic data and
information, as well as any associated content. Examples of ICT include
but are not limited to the following: Computers and peripheral
equipment; information kiosks and transaction machines;
telecommunications equipment; telecommunications services; customer
premises equipment; multifunction office machines; computer software;
applications; websites; electronic media; electronic documents;
Internet of Things (IoT) devices; and operational technology.
Information system means a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information (44 U.S.C. 3502(8)).
Information resources, as used in this definition, includes any ICT.
Information technology * * *
* * * * *
(3) * * *
(ii) Is operational technology.
* * * * *
Internet of Things (IoT) devices means, consistent with section 2
paragraph 4 of Public Law 116-207, devices that--
(1) Have at least one transducer (sensor or actuator) for
interacting directly with the physical world, have at least one network
interface, and are not conventional information technology devices,
such as smartphones and
[[Page 68414]]
laptops, for which the identification and implementation of
cybersecurity features is already well understood; and
(2) Can function on their own and are not only able to function
when acting as a component of another device, such as a processor.
* * * * *
Operational technology means programmable systems or devices that
interact with the physical environment (or manage devices that interact
with the physical environment). These systems or devices detect or
cause a direct change through the monitoring and/or control of devices,
processes, and events. Examples of operational technology include
industrial control systems, building management systems, fire control
systems, and physical access control mechanisms (NIST SP 800-160 vol
2).
* * * * *
Telecommunications equipment means equipment used to transmit,
emit, or receive signals, signs, writing, images, sounds, or
intelligence of any nature, by wire, cable, satellite, fiber optics,
laser, radio, or any other electronic, electric, electromagnetic, or
acoustically coupled means.
Telecommunications services means services used to transmit, emit,
or receive signals, signs, writing, images, sounds, or intelligence of
any nature, by wire, cable, satellite, fiber optics, laser, radio, or
any other electronic, electric, electromagnetic, or acoustically
coupled means.
* * * * *
PART 4--ADMINISTRATIVE AND INFORMATION MATTERS
4.1301 [Amended]
0
4. Amend section 4.1301 by removing from paragraphs (a) and (b)
``Federally-controlled information'' and adding ``Federal information''
in their places; respectively.
4.1303 [Amended]
0
5. Amend section 4.1303 by removing from the text ``Federally-
controlled information'' and adding ``Federal information'' in its
place.
4.1901 [Amended]
0
6. Amend section 4.1901 by removing the definitions of ``Information''
and ``Information system''.
PART 7--ACQUISITION PLANNING
0
7. Amend section 7.103 by--
0
a. Removing from paragraph (q) ``information and communication
technology'' and adding ``information and communications technology''
in its place; and
0
b. Adding paragraph (z).
The addition reads as follows.
7.103 Agency-head responsibilities.
* * * * *
(z) For service acquisitions that will require a contractor to
develop, implement, operate, or maintain a Federal information system,
ensuring that acquisition planners (see 2.101(b)), in consultation with
the agency's authorizing official (see 39.X01), develop requirements in
accordance with the procedures at 39.X02-1 and 39.X02-2.
0
8. Amend section 7.105 by removing from paragraph (b)(18)(iii)
``Federally-controlled information'' and adding ``Federal information''
in its place and adding paragraph (b)(18)(v) to read as follows:
7.105 Contents of written acquisition plans.
* * * * *
(b) * * *
(18) * * *
(v) For service acquisitions that will require a contractor to
develop, implement, operate, or maintain a Federal information system,
discuss compliance with 39.X02-1 and 39.X02-2.
* * * * *
PART 10--MARKET RESEARCH
10.001 [Amended]
0
9. Amend section 10.001 by removing from paragraph (a)(3)(ix)
``information and communication technology'' and adding ``information
and communications technology'' in its place.
PART 11--DESCRIBING AGENCY NEEDS
11.002 [Amended]
0
10. Amend section 11.002 by removing from paragraph (f)(1)(i)
``information and communication technology'' and adding ``information
and communications technology'' in its place.
PART 12--ACQUISITION OF COMMERCIAL PRODUCTS AND COMMERCIAL SERVICES
12.202 [Amended]
0
11. Amend section 12.202 by removing from paragraph (d) ``information
and communication technology'' and adding ``information and
communications technology'' in its place.
PART 37--SERVICE CONTRACTING
37.000 [Amended]
0
12. Amend section 37.000 by removing from the text ``information
technology'' and adding ``information and communications technology''
in its place.
PART 39--ACQUISITION OF INFORMATION AND COMMUNICATIONS TECHNOLOGY
0
13. Revise the heading for part 39 to read as set forth above.
0
14. Amend section 39.000 by removing from paragraph (a) ``Management of
Federal Information Resources'' and adding ``Managing Information as a
Strategic Resource'' in its place; and revising paragraph (b) to read
as follows:
39.000 Scope of part.
* * * * *
(b) Information and communications technology (ICT), as well as
supplies and services that use ICT (see 2.101(b)).
0
15. Amend section 39.001 by revising the first sentence of paragraph
(a) and revising paragraph (b) to read as follows:
39.001 Applicability.
* * * * *
(a) ICT, as well as supplies and services that use ICT, which
includes information technology, Internet of Things (IoT) devices
(e.g., connected appliances, wearables), and operational technology, by
or for the use of agencies except for acquisitions of information
technology for national security systems. * * *
(b) ICT by or for the use of agencies or for the use of the public.
When applying the policy in subpart 39.2, see the exceptions at 39.204
and exemptions at 39.205.
0
16. Revise subpart 39.2 heading to read as follows:
Subpart 39.2--Information and Communications Technology
Accessibility
* * * * *
39.201 [Amended]
0
17. Amend section 39.201 by removing from paragraph (a) ``information
and communication technology'' and adding ``information and
communications technology'' in its place.
0
18. Add a new subpart 39.X to read as follows:
[[Page 68415]]
Subpart 39.X--Federal Information Systems
39.X00 Scope of subpart.
This subpart provides policies and procedures for acquiring
services to develop, implement, operate, or maintain a Federal
information system (FIS) (E.O. 14028, Improving the Nation's
Cybersecurity, dated May 12, 2021). This subpart does not apply to
National security systems (see 39.002).
39.X01 Definitions.
As used in this subpart--
Administrative account means a user account with full privileges
(i.e., with full function and access rights) intended to be used only
when performing management tasks, such as installing updates and
application software, managing user accounts, and modifying operating
system and application settings.
Authorization boundary means all components of an information
system to be authorized for operation by an authorizing official. This
excludes separately authorized systems to which the information system
is connected (OMB Circular No. A-130).
Authorizing official means a senior Federal official or executive
with the authority to authorize (i.e., assume responsibility for) the
operation of an information system or the use of a designated set of
common controls at an acceptable level of risk to agency operations
(including mission, functions, image, or reputation), agency assets,
individuals, other organizations, and the Nation (OMB Circular No. A-
130).
Cloud computing means a model for enabling ubiquitous, convenient,
on-demand network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and
services) that can be rapidly provisioned and released with minimal
management effort or service provider interaction. Cloud computing is
characterized by on-demand self-service, broad network access, resource
pooling, rapid elasticity, and measured service; and includes service
models such as software-as-a-service, infrastructure-as-a-service, and
platform-as-a-service (NIST SP 800-145).
Component means a discrete identifiable information and operational
technology asset that represents a building block of a system and may
include hardware, software, and firmware.
Cyber supply chain risk means the potential for harm or compromise
that arises as a result of cybersecurity risks from suppliers, their
supply chains, and their products or services. This includes risks that
arise from threats exploiting vulnerabilities or exposures within
products and services traversing the supply chain as well as threats or
exposures within the supply chain itself. The level of risk depends on
the likelihood that relevant threats may exploit applicable
vulnerabilities and the consequential potential impacts (NIST SP 800-
161 and 800-203).
Government-related data means any information, document, media, or
machine-readable material regardless of physical form or
characteristics that is created or obtained by a contractor through the
storage, processing, or communication of Government data. Government-
related data does not include--
(1) A contractor's business records (e.g., financial records, legal
records) that do not incorporate Government data, or
(2) Data such as operating procedures, software coding or
algorithms that are not primarily applied to the Government data.
High value asset means Government data or a Federal information
system that is designated as a high value asset pursuant to OMB
Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies
by enhancing the High Value Asset Program.
Media means physical devices or writing surfaces including, but not
limited to, magnetic tapes, optical disks, magnetic disks, large-scale
integration memory chips, and printouts onto which information is
recorded, stored, or printed within an information system (NIST SP 800-
37).
Metadata means information describing the characteristics of data
including, but not limited to, structural metadata that describes data
structures (e.g., data format, syntax, and semantics) and descriptive
metadata that describes data contents (e.g., information security
labels) (NIST SP 800-53).
Service account means an account used by machines, e.g., an
operating system, application, process, or service, not used by a
human.
39.X02 Procedures.
All FIS require protection as part of good risk management
practices. A contract for services to develop, implement, operate, or
maintain a FIS may require contractors to utilize cloud computing
services, computing services other than cloud computing services (i.e.,
non-cloud computing services), or both service approaches in performing
the contract. Each service approach requires certain compliances and
standards to be met to ensure appropriate FIS protection.
39.X02-1 Federal information systems using non-cloud computing
services.
(a) Contracting officer verification.
(1) Requirement criteria. When acquiring services to develop,
implement, operate, or maintain a FIS using non-cloud computing
services, the contracting officer shall verify with the requiring
activity that the requirement--
(i) Categorizes the FIS based on an impact analysis of the
information processed, stored, and transmitted by the system (see the
current version of Federal Information Processing Standards (FIPS)
Publication 199, Standards for Security Categorization of Federal
Information and Information Systems, for additional information);
(ii) Identifies a set of controls to protect the FIS based on an
assessment of risk in accordance with--
(A) The current version of FIPS Publication 200, Minimum Security
Requirements for Federal Information and Information Systems;
(B) The current version of National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-53B, Control Baselines
for Information Systems and Organizations; and
(C) Agency procedures (see paragraph (a)(2) of this section for
mandatory controls to be addressed in all requirements);
(iii) Includes the FIPS Publication 199 impact level (paragraph
(a)(1)(i) of this section) and the identified controls (paragraph
(a)(1)(ii) of this section) in the contract;
(iv) Identifies any Cybersecurity and Infrastructure Security
Agency (CISA) Binding Operational Directives and Emergency Directives
(from the list at https://www.cisa.gov/directives) that will not apply
to the requirement (see fill-in at paragraph (l)(2) of 52.239-YY); and
(v) Addresses each of the elements identified at 52.239-YY(f), as
applicable.
(2) Mandatory controls. The controls identified in paragraph
(a)(1)(ii) of this section must address the following requirements:
(i) Multifactor authentication.
(A) All accounts other than service accounts must employ
multifactor authentication that meets or exceeds Authenticator
Assurance Level 2 (AAL2), as defined in the most recent version of NIST
SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle
Management. Agencies may mandate accounts for Government or contractor
personnel requiring phishing resistant multifactor authentication
[[Page 68416]]
exceeding AAL2, depending on the sensitivity of the system or non-
public data accessed.
(B) Any administrative access must be conducted using a hardware-
based multifactor cryptographic device authenticator.
(ii) Administrative accounts.
(A) All systems and services provided shall have unique
administrative accounts, with the exception of service accounts.
(B) Any accounts that administer any part of the systems used in
the performance of the contract, to include support systems and
infrastructure, shall be considered part of the system authorization
boundary and must have unique administrative accounts that are unique
and exclusive to agency systems. Administrator accounts must be
disclosed, upon request by the contracting officer.
(iii) Consent banners. Login and consent banners must be deployed
on all systems and networks. Such banners must be consistent with CISA
guidance at https://www.cisa.gov/publication/guidance-consent-banners.
The contract may include more specific requirements for consent
banners; such requirements will be consistent with the CISA guidance
linked above;
(iv) Internet of Things devices. Apply any additional cybersecurity
requirements necessary for IoT devices located within the boundary of
the FIS in accordance with the current version of NIST SP 800-213, IoT
Device Cybersecurity Guidance for the Federal Government: Establishing
IoT Device Cybersecurity Requirements; and
(v) Annual assessments. For a FIS designated as a moderate or high
FIPS Publication 199 impact, specify the specific requirements for the
annual assessments (see FAR 52.239-YY(d)).
(b) Prohibited IoT devices in Federal information systems. The
Internet of Things Cybersecurity Improvement Act of 2020 (Pub. L. 116-
207) prohibits agencies from procuring or obtaining, renewing a
contract to procure or obtain, or using an IoT device, if the agency's
Chief Information Officer determines (during a review required by 40
U.S.C. 11319(b)(1)(C) of a contract for such device) that the use of
such a device prevents compliance with NIST SP 800-213.
(1) The head of the agency may waive the prohibition in this
paragraph (b) if the agency's Chief Information Officer determines, in
writing, that--
(i) A waiver is necessary in the interest of national security;
(ii) Procuring, obtaining, or using such device is necessary for
research purposes; or
(iii) The device is secured using alternative and effective methods
appropriate to the function of the device.
(2) When the prohibition is waived in accordance with 39.X02-
1(b)(1), contracting officers shall obtain confirmation of the waiver
from the agency's Chief Information Officer and document the
confirmation in the contract file.
39.X02--2 Federal information systems using cloud computing services.
When acquiring services to develop, implement, operate, or maintain
a FIS using cloud computing services, the contracting officer shall
verify with the requiring activity that the requirement--
(a) Specifies the FIPS Publication 199 impact level and the Federal
Risk and Authorization Management Program (FedRAMP) authorization level
that corresponds with the FIPS Publication 199 impact level for all
applicable cloud computing services;
(b) For systems categorized as FIPS Publication 199 high impact--
(1) Ensures all Government data is maintained (i.e., stored or
processed) within the United States and its outlying areas (see
2.101(b)) or is physically located on U.S. Government premises, unless
otherwise authorized in writing by the Authorizing Official for the
information system; or
(2) When another location is authorized for the maintenance of
Government data in accordance with paragraph (b)(1), specifies the
location(s) authorized by the Authorizing Official for the information
system;
(c) Specifies the format(s) in which all Government data and
Government-related data is to be received from the contractor;
(d) Specifies how the contractor must dispose of Government data
and Government-related data; and
(e) Complies with the following requirements--
(1) Multifactor authentication.
(i) All accounts other than service accounts must employ
multifactor authentication that meets or exceeds Authenticator
Assurance Level 2 (AAL2), as defined in the most recent version of NIST
SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle
Management. Agencies may mandate accounts for Government or contractor
personnel requiring phishing resistant multifactor authentication
exceeding AAL2, depending on the sensitivity of the system or non-
public data accessed.
(ii) Any administrative access must be conducted using a hardware-
based multifactor cryptographic device authenticator.
(2) Administrative accounts.
(i) All systems and services provided shall have unique
administrative accounts, with the exception of service accounts.
(ii) Any accounts that administer any part of a system used in the
performance of the contract, to include support systems and
infrastructure, shall be considered part of the system authorization
boundary and must have unique administrative accounts that are unique
and exclusive to agency systems. Administrator accounts must be
disclosed, upon request by the contracting officer.
(3) Consent banners. Login and consent banners must be deployed on
all systems and networks. Such banners must be consistent with CISA
guidance at https://www.cisa.gov/publication/guidance-consent-banners.
The contract may include more specific requirements for consent
banners; such requirements will be consistent with the CISA guidance
linked above.
39.X03 Contracting officer coordination.
The contracting officer shall coordinate the following requests and
submissions with the requiring activity (to enable coordination with
the agency chief information security officer, senior agency official
for privacy, and agency legal counsel, as necessary)--
(a) Any request for information or access pursuant to the clause at
52.239-ZZ, Incident and Threat Reporting and Incident Response
Requirements for Products or Services Containing Information and
Communications Technology (ICT);
(b) A submission of a reportable incident pursuant to FAR clause
52.239-ZZ, when such incident involves a FIS;
(c) The contractor's annual, independent assessment of the security
of each FIS (52.239-YY(d)(1)(iii)). If received from the requiring
activity, the contracting officer shall provide the contractor with the
agency's request to implement or rationale for not implementing a
recommendation for improvement or mitigation (52.239-YY(d)(1)(iv) and
(v));
(d) A contractor's request to use Government-related data for a
purpose other than to manage the operational environment that supports
the Government data information (52.239-XX(d)(2));
(e) A contractor's submission of its system security plan, when
requested by the agency (52.239-YY(e)(3)(ii));
[[Page 68417]]
(f) A contractor's submission of its continuous monitoring strategy
for the FIS (52.239-YY(f)(7));
(g) A contractor's request to implement alternative, additional, or
compensating security controls, to include those pertaining to cyber
supply chain risk management, not otherwise identified in the contract
(52.239-YY(g));
(h) A contractor's request to use Government metadata for a purpose
other than to manage the operational environment that supports the
Government data (52.239-YY(i)(2));
(i) A contractor's notification of a third-party request for access
to Government data or any associated metadata, or access to information
systems with access to Government data or any associated metadata
(52.239-YY(i)(3));
(j) A contractor's request to publish or disclose the details of
any safeguards either designed or developed by the contractor under the
contract, or otherwise provided by the Government (52.239-YY(i)(4));
(k) A contractor's submission of its operational technology
equipment list, when requested by the agency (52.239-YY(k)(3)); and
(l) Any other relevant contractor or third-party requests for
access or data not covered herein.
39.X04 Contract clauses.
When acquiring services to develop, implement, operate, or maintain
a FIS, the contracting officer shall insert--
(a) The clause at 52.239-YY, Federal Information Systems Using Non-
Cloud Computing Services, in solicitations and contracts that use, or
are anticipated to use, non-cloud computing services in performance of
the contract; and
(b) The clause at 52.239-XX, Federal Information Systems Using
Cloud Computing Services, in solicitations and contracts that use, or
are anticipated to use, cloud computing services in performance of the
contract.
PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
19. Amend section 52.204-9 by--
0
a. Revising the date of the clause; and
0
b. Removing from paragraph (d) ``Federally-controlled information'' and
adding ``Federal information'' in its place.
The revision reads as follows:
52.204-9 Personal Identity Verification of Contractor Personnel.
* * * * *
Personal Identity Verification of Contractor Personnel (DATE)
* * * * *
0
20. Amend section 52.212-5 by--
0
a. Revising the date of the clause;
0
b. Redesignating paragraphs (b)(63) through (64) as paragraphs (b)(65)
through (66);
0
c. Adding new paragraphs (b)(63) and (64);
0
d. Redesignating paragraph (e)(1)(xxiv) as paragraph (e)(1)(xxvi);
0
e. Adding new paragraphs (e)(1)(xxiv) and (xxv);
0
f. In Alternate II by--
0
i. Revising the date of Alternate II;
0
ii. Redesignating paragraphs (e)(1)(ii)(W) as paragraph (e)(1)(ii)(Y);
and adding new paragraphs (e)(1)(ii)(W) and (X);
The revisions and additions read as follows:
52.212-5 Contract Terms and Conditions Required To Implement Statutes
or Executive Orders--Commercial Products and Commercial Services.
* * * * *
Contract Terms and Conditions Required To Implement Statutes or
Executive Orders--Commercial Products and Commercial Services (DATE)
* * * * *
(b) * * *
_ (63) 52.239-YY Federal Information Systems Using Non-Cloud
Computing Services (DATE) (E.O. 14028 and 15 U.S.C. 278g-3e).
_ (64) 52.239-XX Federal Information Systems Using Cloud Computing
Services (DATE) (E.O. 14028).
* * * * *
(e)(1) * * *
(xxiv) 52.239-YY Federal Information Systems Using Non-Cloud
Computing Services (DATE) (E.O. 14028 and 15 U.S.C. 278g-3e).
(xxv) 52.239-XX Federal Information Systems Using Cloud Computing
Services (DATE) (E.O. 14028).
* * * * *
Alternate II. (DATE) * * *
(e)(1) * * *
(ii) * * *
(W) 52.239-YY Federal Information Systems Using Non-Cloud Computing
Services (DATE) (E.O. 14028 and 15 U.S.C. 278g-3e).
(X) 52.239-XX Federal Information Systems Using Cloud Computing
Services (DATE) (E.O. 14028).
* * * * *
0
21. Amend section 52.213-4 by--
0
a. Revising the date of the clause;
0
b. Adding paragraphs (a)(1)(xii) and (xiii); and
0
c. Revising the date of paragraph (a)(2)(vii).
The additions and revisions read as follows:
52.213-4 Terms and Conditions--Simplified Acquisitions (Other Than
Commercial Products and Commercial Services).
* * * * *
Terms and Conditions--Simplified Acquisitions (Other Than Commercial
Products and Commercial Services) (DATE)
* * * * *
(a) * * *
(1) * * *
(xii) 52.239-YY Federal Information Systems Using Non-Cloud
Computing Services (DATE) (E.O. 14028 and 15 U.S.C. 278g-3e).
(xiii) 52.239-XX Federal Information Systems Using Cloud Computing
Services (DATE) (E.O. 14028).
(2) * * *
(vii) 52.244-6, Subcontracts for Commercial Products and Commercial
Services (DATE).
* * * * *
0
22. Adding new sections 52.239-XX and 52.239-YY to read as follows:
52.239-XX Federal Information Systems Using Cloud Computing Services.
As prescribed in 39.X04(b) insert the following clause:
Federal Information Systems Using Cloud Computing Services (DATE)
(a) Definitions. As used in this clause--
Cloud computing means a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider
interaction. Cloud computing is characterized by on-demand self-
service, broad network access, resource pooling, rapid elasticity,
and measured service; and includes service models such as software-
as-a-service, infrastructure-as-a-service, and platform-as-a-service
(NIST SP 800-145).
Federal information system--
(1) Means an information system (44 U.S.C. 3502(8)) used or
operated by an agency, by a contractor of an agency, or by another
organization, on behalf of an agency;
(2) On behalf of an agency as used in this definition, means
when a contractor uses or operates an information system or
maintains or collects information for the purpose of processing,
storing, or transmitting Government data, and those activities are
not incidental to providing a service or product to the Government
(32 CFR part 2002).
Full access means, for all contractor information systems used
in performance, or which support performance, of the contract--
(1) Physical and electronic access to--
(i) Contractor networks;
(ii) Systems;
(iii) Accounts with access to Government systems;
(iv) Other infrastructure housed on the same computer network;
[[Page 68418]]
(v) Other infrastructure with a shared identity boundary or
interconnection to the Government system; and
(2) Provision of all requested Government data or Government-
related data, including--
(i) Images;
(ii) Log files;
(iii) Event information; and
(iv) Statements, written or audio, of contractor employees
describing what they witnessed or experienced in connection with the
contractor's performance of the contract.
Government data means any information (including metadata),
document, media, or machine-readable material regardless of physical
form or characteristics that is created or obtained by the
Government, or a contractor on behalf of the Government, in the
course of official Government business.
Government-related data means any information, document, media,
or machine-readable material regardless of physical form or
characteristics that is created or obtained by a contractor through
the storage, processing, or communication of Government data.
Government-related data does not include--
(1) A contractor's business records (e.g., financial records,
legal records) that do not incorporate Government data; or
(2) Data such as operating procedures, software coding or
algorithms that are not primarily applied to the Government data.
Information means any communication or representation of
knowledge, such as facts, data, or opinions in any medium or form,
including textual, numerical, graphic, cartographic, narrative,
electronic, or audiovisual forms (see Office of Management and
Budget (OMB) Circular No. A-130, Managing Information as a Strategic
Resource).
Information and communications technology (ICT) means
information technology and other equipment, systems, technologies,
or processes, for which the principal function is the creation,
manipulation, storage, display, receipt, or transmission of
electronic data and information, as well as any associated content.
Examples of ICT include but are not limited to the following:
computers and peripheral equipment; information kiosks and
transaction machines; telecommunications equipment;
telecommunications services; customer premises equipment;
multifunction office machines; computer software; applications;
websites; electronic media; electronic documents; Internet of Things
(IoT) devices; and operational technology.
Information system means a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information (44 U.S.C. 3502(8)).
Information resources as used in this definition, includes any ICT.
Media means physical devices or writing surfaces including, but
not limited to, magnetic tapes, optical disks, magnetic disks,
large-scale integration memory chips, and printouts onto which
information is recorded, stored, or printed within an information
system (NIST SP 800-53).
(b) Applicability. The requirements of this clause shall only
apply to aspects of a Federal information system (FIS) that involve
cloud computing services.
(c) Cloud computing security requirements.
(1) The Contractor shall implement and maintain security and
privacy safeguards and controls with the security level and services
required in accordance with the Federal Risk and Authorization
Management Program (FedRAMP) authorization level specified.
(i) Cloud continuous monitoring requirement. The Contractor
shall engage in continuous monitoring activities and provide
continuous monitoring deliverables as required for FedRAMP approved
capabilities (see FedRAMP Continuous Monitoring Strategy Guide).
(ii) Cryptographic key services. The Government reserves the
right to implement and operate its own cryptographic key management,
key revocation and key escrow services.
(2) For cloud computing services required to meet FIPS
Publication 199 high impact requirements, the Contractor shall
maintain within the United States and its outlying areas (see FAR
2.101) all Government data that is not physically located on U.S.
Government premises, unless otherwise specified in the contract.
(d) Limitations on access to, and use and disclosure of,
Government data and Government-related data.
(1) The Contractor shall not access, use, or disclose Government
data or Government-related data unless specifically authorized under
the contract or task or delivery order or in writing by the
Contracting Officer.
(i) When authorized, any access to, or use or disclosure of,
Government data or Government-related data shall only be for
purposes specified in the contract or task order or delivery order.
(ii) The Contractor shall ensure that its employees are subject
to all such access, use, and disclosure prohibitions and obligations
of this paragraph.
(iii) The access, use, and disclosure prohibitions and
obligations of this paragraph shall survive the expiration or
termination of this contract.
(2) The Contractor shall use Government-related data only to
manage the operational environment that supports the Government data
and for no other purpose unless otherwise permitted with the prior
written approval of the Contracting Officer.
(e) Notifiable incident reporting, incident response and threat
reporting.
For contract coverage on security incident and cyber threat
reporting, see FAR clause 52.239-ZZ, Incident and Threat Reporting
and Incident Response Requirements for Products or Services
Containing Information and Communications Technology, in this
contract.
(f) Records management and Government access.
(1) The Contractor shall provide the Contracting Officer with
all Government data and Government-related data in the format
specified in the contract.
(2) The Contractor shall dispose of Government data and
Government-related data in accordance with the terms of the contract
and provide the confirmation of disposition to the Contracting
Officer in accordance with contract closeout procedures.
(3)(i) To the extent required to carry out a program of
inspection to safeguard against threats and hazards to the security,
(i.e., confidentiality, integrity, and availability) and privacy of
Government data; or for the purpose of audits, investigations,
inspections, or other similar activities, as authorized by law,
regulation, or this contract, the Contractor shall provide the
Government's authorized representatives (authorized representatives
include CISA, except for contracts with the Department of Defense,
the Intelligence Community, or for National Security Systems, and
could include other Federal agencies, as specified by the
Contracting Officer) with--
(A) Timely access, including full access, to all Government data
and Government-related data;
(B) Timely access to contractor personnel involved in
performance of the contract; and
(C) Specifically for the purpose of audit, investigation,
inspection, or other similar activity, as authorized by law,
regulation, or this contract, timely physical access to any
Contractor facility with Government data.
(ii) In response to a request for access from CISA, the
Contractor shall--
(A) First confirm the validity of the request by contacting CISA
Central by email at [email protected], or by telephone at 888-282-
0870; and
(B) Immediately notify the Contracting Officer and any other
agency official designated in the contract, in writing, of receipt
of the request. Provision of information and access to CISA under
this clause shall not be delayed by submission of this notification
or awaiting acknowledgement of its receipt.
(g) Notification of third-party access requests. The Contractor
shall notify the Contracting Officer promptly of any requests from a
third-party for access to Government data or Government-related
data, including any warrants, seizures, or subpoenas it receives,
including those from another Federal, State, or local agency. The
Contractor shall comply with applicable clauses, regulations, and
laws concerning protection of Government data and Government-related
data from any unauthorized disclosure.
(h) Indemnity for potential or actual loss or damage of
Government data.
(1) The Contractor shall indemnify the Government and its
officers, agents, and employees acting for the Government against
any liability arising out of the performance of this contract,
including costs and expenses, incurred as the result of the
Contractor's unauthorized introduction of copyrighted material to
which the Contractor has no rights or license that may infringe on
the copyright interest of others, information subject to a right of
privacy, and any libelous or other unlawful matter into Government
data. The Contractor agrees to waive any and all defenses that may
be asserted for its benefit, including (without limitation) the
``Government Contractors Defense.''
(2) The Contractor shall indemnify the Government and its
officers, agents, and employees acting for the Government against
[[Page 68419]]
any liability arising out of the performance of this contract,
including costs and expenses, incurred as the result of the
Contractor's potential or actual unauthorized disclosure of trade
secrets, copyrighted materials, contractor bid or proposal
information, source selection information, classified information,
material marked as ``Controlled Unclassified Information'',
information subject to a right of privacy or publicity, personally
identifiable information as defined by OMB Circular A-130 (2016) or
successor thereof, or any record as defined in 5 U.S.C. 552a.
(3) In the event of any claim or suit against the Government on
account of any alleged unauthorized disclosure or introduction of
data or information arising out of the performance of this contract
or services performed under this contract, the Contractor shall
furnish to the Government, when requested by the Contracting
Officer, all evidence and information in the Contractor's possession
pertaining to such claim or suit.
(4) The provisions of this paragraph (h) do not apply unless the
Government provides notice to the Contractor as soon as practicable
of any claim or suit, affords the Contractor an opportunity under
applicable laws, rules, or regulations to participate in the defense
of the claim or suit, and these provisions do not apply to any
libelous or other unlawful matter contained in such data furnished
to the Contractor by the Government and incorporated in data to
which this clause applies. Further, this indemnity shall not apply
to--
(i) A disclosure or inclusion of data or information upon
specific written instructions of the Contracting Officer directing
the disclosure or inclusion of such information or data;
(ii) A third-party claim that is unreasonably settled without
the consent of the Contractor, unless required by final decree of a
court of competent jurisdiction.
(i) Subcontracts. The Contractor shall include the substance of
this clause, including this paragraph (i), in all subcontracts under
this contract for services to develop, implement, operate, or
maintain a FIS using cloud computing services.
(End of clause)
52.239-YY Federal Information Systems Using Non-Cloud Computing
Services.
As prescribed in 39.X04(a) insert the following clause:
Federal Information Systems Using Non-Cloud Computing Services (DATE)
(a) Definitions. As used in this clause--
Cloud computing means a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider
interaction. Cloud computing is characterized by on-demand self-
service, broad network access, resource pooling, rapid elasticity,
and measured service; and includes service models such as software-
as-a-service, infrastructure-as-a-service, and platform-as-a-service
(NIST SP 800-145).
Component means a discrete identifiable information and
operational technology asset that represents a building block of a
system and may include hardware, software, and firmware.
Cyber supply chain risk means the potential for harm or
compromise that arises as a result of cybersecurity risks from
suppliers, their supply chains, and their products or services. This
includes risks that arise from threats exploiting vulnerabilities or
exposures within products and services traversing the supply chain
as well as threats or exposures within the supply chain itself. The
level of risk depends on the likelihood that relevant threats may
exploit applicable vulnerabilities and the consequential potential
impacts. (NIST SP 800-161 and 800-203).
Federal information system--
(1) Means an information system (44 U.S.C. 3502(8)) used or
operated by an agency, by a contractor of an agency, or by another
organization, on behalf of an agency;
(2) On behalf of an agency as used in this definition, means
when a contractor uses or operates an information system or
maintains or collects information for the purpose of processing,
storing, or transmitting Government data, and those activities are
not incidental to providing a service or product to the Government
(32 CFR part 2002).
Full access means, for all contractor information systems used
in performance, or which support performance, of the contract--
(1) Physical and electronic access to--
(i) Contractor networks;
(ii) Systems;
(iii) Accounts with access to Government systems;
(iv) Other infrastructure housed on the same computer network;
(v) Other infrastructure with a shared identity boundary or
interconnection to the Government system; and
(2) Provision of all requested Government data or Government-
related data, including--
(i) Images;
(ii) Log files;
(iii) Event information; and
(iv) Statements, written or audio, of contractor employees
describing what they witnessed or experienced in connection with the
contractor's performance of the contract.
Government data means any information, (including metadata),
document, media, or machine-readable material regardless of physical
form or characteristics that is created or obtained by the
Government, or a contractor on behalf of the Government, in the
course of official Government business.
Government-related data means any information, document, media,
or machine-readable material regardless of physical form or
characteristics that is created or obtained by a contractor through
the storage, processing, or communication of Government data.
Government-related data does not include--
(1) A contractor's business records (e.g., financial records,
legal records) that do not incorporate Government data; or
(2) Data such as operating procedures, software coding or
algorithms that are not primarily applied to the Government data.
High value asset means Government data or a Federal information
system that is designated as a high value asset pursuant to OMB
Memorandum M-19-03, Strengthening the Cybersecurity of Federal
Agencies by enhancing the High Value Asset Program.
Information means any communication or representation of
knowledge, such as facts, data, or opinions, in any medium or form,
including textual, numerical, graphic, cartographic, narrative,
electronic, or audiovisual forms (see Office of Management and
Budget (OMB) Circular No. A-130, Managing Information as a Strategic
Resource).
Information and communications technology (ICT) means
information technology and other equipment, systems, technologies,
or processes, for which the principal function is the creation,
manipulation, storage, display, receipt, or transmission of
electronic data and information, as well as any associated content.
Examples of ICT include but are not limited to the following:
computers and peripheral equipment; information kiosks and
transaction machines; telecommunications equipment;
telecommunications services; customer premises equipment;
multifunction office machines; computer software; applications;
websites; electronic media; electronic documents; Internet of Things
(IoT) devices; and operational technology.
Information system means a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information (44 U.S.C. 3502(8)).
Information resources, as used in this definition, includes any ICT.
Information technology means any equipment, or interconnected
system(s) or subsystem(s) of equipment, that is used in the
automatic acquisition, storage, analysis, evaluation, manipulation,
management, movement, control, display, switching, interchange,
transmission, or reception of data or information by the agency.
(1) For purposes of this definition, equipment is used by an
agency if the equipment is used by the agency directly or is used by
a contractor under a contract with the agency that requires--
(i) Its use; or
(ii) To a significant extent, its use in the performance of a
service or the furnishing of a product.
(2) The term ``information technology'' includes computers,
ancillary equipment (including imaging peripherals, input, output,
and storage devices necessary for security and surveillance),
peripheral equipment designed to be controlled by the central
processing unit of a computer, software, firmware and similar
procedures, services (including support services), and related
resources.
(3) The term ``information technology'' does not include any
equipment that--
(i) Is acquired by a contractor incidental to a contract; or
(ii) Is operational technology.
Internet of Things (IoT) devices means, consistent with section
2 paragraph 4 of Public Law 116-207, devices that--
[[Page 68420]]
(1) Have at least one transducer (sensor or actuator) for
interacting directly with the physical world, have at least one
network interface, and are not conventional information technology
devices, such as smartphones and laptops, for which the
identification and implementation of cybersecurity features is
already well understood; and
(2) Can function on their own and are not only able to function
when acting as a component of another device, such as a processor.
Media means physical devices or writing surfaces including, but
not limited to, magnetic tapes, optical disks, magnetic disks,
large-scale integration memory chips, and printouts onto which
information is recorded, stored, or printed within an information
system (NIST SP 800-53).
Metadata means information describing the characteristics of
data including, but not limited to, structural metadata that
describes data structures (e.g., data format, syntax, and semantics)
and descriptive metadata that describes data contents (e.g.,
information security labels) (NIST SP 800-37).
Operational technology (OT) means programmable systems or
devices that interact with the physical environment or manage
devices that interact with the physical environment. These systems
or devices detect or cause a direct change through the monitoring
and/or control of devices, processes, and events. Examples of
operational technology include industrial control systems, building
management systems, fire control systems, and physical access
control mechanisms (NIST SP 800-160 vol 2).
Overlay means a specification of security or privacy controls,
control enhancements, supplemental guidance, and other supporting
information employed during the tailoring process, that is intended
to complement and further refine security control baselines. An
overlay specification may be more stringent or less stringent than
the original security control baseline specification and can be
applied to multiple information systems (OMB Circular No. A-130).
Telemetry means the automatic recording and transmission of data
from remote or inaccessible sources to an information system in a
different location for monitoring and analysis. Telemetry data may
be relayed using radio, infrared ultrasonic, cellular, satellite or
cable, depending on the application.
(b) Applicability. The requirements of this clause shall only
apply to aspects of a Federal information system (FIS) that do not
involve cloud computing services.
(c) Records management and Government access.
(1) The Contractor shall provide the Contracting Officer with
all Government data and Government-related data in the format
specified in the contract.
(2) The Contractor shall dispose of Government data and
Government-related data in accordance with the terms of the contract
and provide the confirmation of disposition to the Contracting
Officer in accordance with contract closeout procedures.
(3)(i) To the extent required to carry out a program of
inspection to safeguard against threats and hazards to the security
(i.e., confidentiality, integrity, and availability) and privacy of
Government data; or for the purpose of audits, investigations,
inspections, or other similar activities, as authorized by law,
regulation, or this contract, the Contractor shall provide the
Government's authorized representatives (authorized representatives
include CISA, except for contracts with the Department of Defense,
the Intelligence Community, or for National Security Systems, and
could include other Federal agencies as specified by the Contracting
Officer), with--
(A) Timely access, including full access, to all Government data
and Government-related data;
(B) Timely access to contractor personnel involved in
performance of the contract; and
(C) Specifically for the purpose of audit, investigation,
inspection, or other similar activity, as authorized by law,
regulation, or this contract, timely physical access to any
Contractor facility with Government data.
(ii) In response to a request for access from CISA, the
Contractor shall--
(A) First confirm the validity of the request by contacting CISA
Central by email at [email protected], or by telephone at 888-282-
0870; and
(B) Immediately notify the Contracting Officer and any other
agency official designated in the contract, in writing, of receipt
of the request. Provision of information and access to CISA under
this clause shall not be delayed by submission of this notification
or awaiting acknowledgement of its receipt.
(d) Annual assessments. (1) If the Contractor is required to
develop, implement, operate, or maintain a FIS that is designated as
a moderate or high Federal Information Processing Standards (FIPS)
Publication 199 impact, the Contractor shall, unless otherwise
stated in the contract--
(i) Perform an annual, independent assessment of the security of
each FIS to include an architectural review and penetration testing
of the FIS;
(ii) At least annually, conduct a cyber threat hunting and
vulnerability assessment to search for cybersecurity risks,
vulnerabilities and indicators of compromise;
(iii) Promptly provide the Contracting Officer with the results
of the assessments at paragraphs (d)(1)(i) and (ii) of this clause,
including any recommended improvements or risk mitigations for each
FIS;
(iv) Upon agency request, promptly implement the recommended
improvements and mitigations, if any, for the FIS; and
(v) For any recommendation the agency does not request be
implemented, document the agency-provided rationale for not
implementing the improvement or mitigation in the Contractor's
System Security Plan (SSP).
(2) If the Contractor contracts with a third-party assessment
organization to perform the assessments required in paragraph
(d)(1)(i) and (ii) of this clause, the Contractor shall enter into a
strict confidentiality agreement with the third-party assessment
organization. The Contractor shall notify the Contracting Officer of
any existing business relationships the Contractor has with the
third-party assessment organization. The confidentiality agreement
shall--
(i) Ensure compliance with all applicable requirements for
disclosing information to the Government; and
(ii) Prohibit the third-party assessment organization from--
(A) Disclosing any Government data, and
(B) Retaining on its systems any Government data following the
conclusion of the assessment and transfer of all information related
to the assessment results to the Contractor.
(e) Security and privacy controls.
(1) The Contractor shall implement the controls, as specified by
the agency, in--
(i) National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-53, Security and Privacy Controls for
Information Systems and Organizations;
(ii) NIST SP 800-161, Cybersecurity Supply Chain Risk Management
Practices for Systems and Organizations;
(iii) NIST SP 800-82, Guide to Industrial Control Systems
Security; and
(iv) NIST SP 800-213, IoT Device Cybersecurity Guidance for the
Federal Government: Establishing IoT Device Cybersecurity
Requirements.
(2) The Contractor shall implement any additional requirements,
as identified in the contract, for an information system designated
by the agency as a high value asset. These requirements may include
implementation of a high value asset overlay and cooperation in the
conduct of all required cybersecurity assessments.
(3) The security and privacy controls specified by the agency in
accordance with paragraph (e)(1) of this section will include a
requirement to develop, review, and update, if appropriate, an SSP
to support authorization of all applicable FIS.
(i) NIST SP 800-18, Guide for Developing Security Plans for
Federal Information Systems, contains a template for an Information
SSP; and
(ii) The Contractor shall submit a copy of the SSP to the agency
upon request.
(4) The Contractor shall make contingency plans for all
information systems, aligned to NIST SP 800-34, Contingency Planning
Guide for Federal Information Systems, available to the agency upon
request.
(5) For a FIS required to meet FIPS Publication 199 high impact
requirements, the Contractor shall maintain within the United States
and its outlying areas (see FAR 2.101) all Government data that is
not physically located on U.S. Government premises, unless otherwise
specified in the contract.
(f) Additional considerations. For each FIS being developed,
implemented, operated, or maintained, the Contractor shall-
(1) Apply NIST SP 800-39, Managing Information Security Risk:
Organization, Mission, and Information System View, as the basis for
the Contractor's risk management process (framing, assessing,
responding to, and monitoring risk) when supporting agency risk
management activities;
(2) Apply NIST SP 800-37, Risk Management Framework for
Information
[[Page 68421]]
Systems and Organizations: A System Life Cycle Approach for Security
and Privacy, as the process to manage system risk through
preparation, categorization, control selection, control
implementation and assessment, system authorizations, and continuous
monitoring;
(3) Apply NIST SP 800-207, Zero Trust Architecture, when
designing zero trust architecture approaches;
(4) Apply NIST SP 800-160, Vol. 1, Systems Security Engineering:
Considerations for a Multidisciplinary Approach in the Engineering
of Trustworthy Secure Systems, which addresses the activities and
tasks, the concepts and principles, and most importantly, what needs
to be considered from a security perspective when executing within
the context of systems engineering;
(5) Apply NIST SP 800-160, Vol. 2, Developing Cyber-Resilient
Systems: A Systems Security Engineering Approach, when selecting,
adapting, and using cyber resiliency constructs for new systems,
system upgrades, or repurposed systems;
(6) Apply NIST SP 800-30, Guide for Conducting Risk Assessments,
when preparing for, conducting, communicating results from, and
maintaining risk assessments over time;
(7) Provide the Government with a continuous monitoring strategy
for the FIS that maintains ongoing awareness of information
security, vulnerabilities, and threats, in order to support
organizational risk management decisions, and applies the
following--
(i) NIST SP 800-137, Information Security Continuous Monitoring
(ISCM) for Federal Information Systems and Organizations, which
describes development and implementation of an ISCM Program,
including development of an ISCM strategy;
(ii) Use of automation, wherever possible, to increase the
speed, effectiveness, and efficiency of continuous monitoring; and
(iii) Protection of vulnerability scan data, logs, and telemetry
data (e.g., from Cybersecurity and Infrastructure Security Agency's
(CISA) Continuous Diagnostics and Mitigation program) commensurate
with the aggregate sensitivity of the collected data. The data and
logs shall be promptly made available to the Government upon the
Contracting Officer's request;
(8) Apply NIST SP 800-63-3, Digital Identity Guidelines, when--
(i) Selecting appropriate digital identity services;
(ii) Digitally authenticating a subject to Federal information
systems over a network; and
(iii) Implementing identity assurance, authenticator assurance,
and federation assurance levels based on risk; and
(9) Apply NIST SP 800-92, Guide to Computer Security Log
Management, when generating, transmitting, storing, analyzing, and
disposing of computer security log data.
(g) Cyber supply chain risk management. The Contractor may
implement alternative, additional, or compensating cyber supply
chain risk management security controls from those stated in the
contract, when authorized in writing by the Contracting Officer.
(h) Notifiable incident reporting, incident response and threat
reporting.
For contract coverage on security incident and cyber threat
reporting, see FAR clause 52.239-ZZ, Incident and Threat Reporting
and Incident Response Requirements for Products or Services
Containing Information and Communications Technology, in this
contract.
(i) Limitations on access to, use, and disclosure of Government
data, Government-related data, and any associated metadata.
(1) The Contractor shall not access, use, or disclose Government
data, Government-related data, and any associated metadata unless
specifically authorized under the contract or task or delivery order
or in writing by the Contracting Officer.
(i) When authorized, the access, use, or disclosure of
Government data, Government-related data, and any associated
metadata shall only be for purposes specified in the contract or
task or delivery order.
(ii) The Contractor shall ensure that its employees are subject
to all such access, use, and disclosure prohibitions and obligations
of this paragraph.
(iii) The access, use, and disclosure prohibitions and
obligations of this paragraph shall survive the expiration or
termination of this contract.
(2) The Contractor shall use Government metadata only to manage
the operational environment that supports the Government data and
for no other purpose unless otherwise permitted with the prior
written approval of the Contracting Officer.
(3) The Contractor shall notify the Contracting Officer promptly
of any requests from a third-party for access to Government data,
Government-related data, or any associated metadata, including any
warrants, seizures, or subpoenas it receives, including those from
another Federal, State, or local agency. The Contractor shall comply
with applicable clauses, regulations, and laws concerning protection
of Government data and Government-related data from any unauthorized
disclosure.
(4) The Contractor shall not publish or disclose in any manner,
without the Contracting Officer's written consent, the details of
any safeguards either designed or developed by the Contractor under
this contract or otherwise provided by the Government.
(j) Cryptographic key services. The Government reserves the
right to implement and operate its own cryptographic key management,
key revocation, and key escrow services. If key services are
provided by the contractor, the contractor shall provide the agency
with applicable key material and services.
(k) List of operational technology equipment. Unless the
contract states otherwise, the Contractor shall develop and maintain
a list of the physical location of all operational technology
included within the boundary of a FIS covered by this contract.
(1) The list shall be considered Government data. At a minimum,
the list shall include--
(i) The identification and description of any controllers,
relays, sensors, pumps, actuators, Open Platform Communications
Unified Architecture devices, and other industrial control system
devices; including, when available, the manufacturer, part number,
software version, communication protocols, and all static IP
addresses assigned to the different hardware components used in
performance of the contract;
(ii) An explanation of whether the device is password protected
and, if so, whether the password can be changed from the default
password provided by the manufacturer;
(iii) An explanation of whether the device is accessible
remotely (e.g., through internet or another network connection);
(iv) Location information in enough detail to affirmatively
locate the operational technology equipment, if necessary; and
(v) Whether multi-factor authentication is present and enabled.
(2) The Contractor shall update the list to track any movement
of the equipment during contract performance, as software or
firmware updates are applied, when equipment is removed or taken out
of service; or when equipment is added or placed into service.
(3) Upon request by the Contracting Officer, the Contractor
shall provide the Government a copy of the current and/or historical
list(s).
(l) Binding Operational Directives and Emergency Directives.
(1) Except as identified in paragraph (l)(2) of this clause, the
Contractor shall comply with the Binding Operational Directives
(BODs) and Emergency Directives (EDs) issued by CISA and having a
specific applicability to a FIS used or operated by a contractor.
The list of BODs and EDs can be found at https://www.cisa.gov/directives.
(2) The following BODs and EDs that have a specific
applicability to a FIS used or operated by a contractor will not
apply to this contract: ___.
[Contracting Officer to list any BODs or EDs not applicable to
the contract, as specified by the requiring activity]
(3) BODs and EDs with specific applicability to a FIS used or
operated by a contractor that are issued after the date of award
will be applied to this contract, at the Contracting Officer's
discretion, through appropriate modification of the contract.
(m) Indemnity for potential or actual loss or damage of
Government data.
(1) The Contractor shall indemnify the Government and its
officers, agents, and employees acting for the Government against
any liability arising out of the performance of the contract,
including costs and expenses, incurred as the result of the
Contractor's unauthorized introduction of copyrighted material to
which the Contractor has no rights or license that may infringe on
the copyright interest of others, information subject to a right of
privacy, and any libelous or other unlawful matter into Government
data. The Contractor agrees to waive any and all defenses that may
be asserted for its benefit, including (without limitation) the
``Government Contractors Defense.''
(2) The Contractor shall indemnify the Government and its
officers, agents, and employees acting for the Government against
any liability arising out of the performance of this contract,
including costs and expenses,
[[Page 68422]]
incurred as the result of the Contractor's potential or actual
unauthorized disclosure of trade secrets, copyrighted materials,
contractor bid or proposal information, source selection
information, classified information, material marked as ``Controlled
Unclassified Information'', information subject to a right of
privacy or publicity, personally identifiable information as defined
by OMB Circular A-130 (2016) or successor thereof, or any record as
defined in 5 U.S.C. 552a.
(3) In the event of any claim or suit against the Government on
account of any alleged unauthorized disclosure or introduction of
data or information arising out of the performance of this contract
or services performed under this contract, the Contractor shall
furnish to the Government, when requested by the Contracting
Officer, all evidence and information in the Contractor's possession
pertaining to such claim or suit.
(4) The provisions of this paragraph (m) do not apply unless the
Government provides notice to the Contractor as soon as practicable
of any claim or suit, affords the Contractor an opportunity under
applicable laws, rules, or regulations to participate in the defense
of the claim or suit, and these provisions do not apply to any
libelous or other unlawful matter contained in such data furnished
to the Contractor by the Government and incorporated in data to
which this clause applies. Further, this indemnity shall not apply
to--
(i) A disclosure or inclusion of data or information upon
specific written instructions of the Contracting Officer directing
the disclosure or inclusion of such information or data; or
(ii) A third-party claim that is unreasonably settled without
the consent of the Contractor, unless required by final decree of a
court of competent jurisdiction.
(n) Subcontracts. The Contractor shall include the substance of
this clause, including this paragraph (n), in all subcontracts under
this contract for services to develop, implement, operate, or
maintain, a FIS using other than cloud computing services.
(End of clause)
0
23. Amend section 52.244-6 by--
0
a. Revising the date of the clause; and
0
b. Redesignating paragraph (c)(1)(xxi) as (c)(1)(xxiii) and adding new
paragraphs (c)(1)(xxi) and (xxii).
The revisions read as follows:
52.244-6 Subcontracts for Commercial Products and Commercial Services.
* * * * *
Subcontracts for Commercial Products and Commercial Services (DATE)
* * * * *
(c)(1) * * *
(xxi) 52.239-YY Federal Information Systems Using Non-Cloud
Computing Services (DATE) (E.O. 14028 and 15 U.S.C. 278g-3e) if flow
down is required in accordance with paragraph (n) of FAR clause 52.239-
YY.
(xxii) 52.239-XX Federal Information Systems Using Cloud Computing
Services (DATE) (E.O. 14028) if flow down is required in accordance
with paragraph (i) of FAR clause 52.239-XX.
* * * * *
[FR Doc. 2023-21327 Filed 10-2-23; 8:45 am]
BILLING CODE 6820-EP-P