[Federal Register Volume 90, Number 2 (Friday, January 3, 2025)]
[Proposed Rules]
[Pages 297-300]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-30504]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 2, 7, 11, 12, and 39
[FAR Case 2019-014, Docket No. FAR-2019-0014, Sequence No. 1]
RIN 9000-AN97
Federal Acquisition Regulation: Strengthening America's
Cybersecurity Workforce
AGENCY: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: DoD, GSA, and NASA are proposing to amend the Federal
Acquisition Regulation (FAR) to incorporate a framework for describing
cybersecurity workforce knowledge and skill requirements used in
contracts for information technology support services and cybersecurity
support services in line with an Executive Order to enhance the
cybersecurity workforce.
DATES: Interested parties should submit written comments to the
Regulatory Secretariat Division at the address shown below on or before
March 4, 2025 to be considered in the formation of the final rule.
ADDRESSES: Submit comments in response to FAR Case 2019-014 to the
Federal eRulemaking portal at https://www.regulations.gov by searching
for ``FAR Case 2019-014''. Select the link ``Comment Now'' that
corresponds with ``FAR Case 2019-014''. Follow the instructions
provided on the ``Comment Now'' screen. Please include your name,
company name (if any), and ``FAR Case 2019-014'' on your attached
document. If your comment cannot be submitted using https://www.regulations.gov, call or email the points of contact in the FOR
FURTHER INFORMATION CONTACT section of this document for alternate
instructions.
Instructions: Please submit comments only and cite ``FAR Case 2019-
014'' in all correspondence related to this case. Comments received
generally will be posted without change to https://www.regulations.gov,
including any personal and/or business confidential information
provided. Public comments may be submitted as an individual, as an
organization, or anonymously (see frequently asked questions at https://www.regulations.gov/faq). To confirm receipt of your comment(s),
please check https://www.regulations.gov, approximately two to three
days after submission to verify posting.
FOR FURTHER INFORMATION CONTACT: For clarification of content, contact
Ms. Malissa Jones, Procurement Analyst, at 571-882-4687 or by email at
[email protected]. For information pertaining to status,
publication schedules, or alternate instructions for submitting
comments if https://www.regulations.gov cannot be used, contact the
Regulatory Secretariat at 202-501-4755 or [email protected]. Please
cite ``FAR Case 2019-014.''
SUPPLEMENTARY INFORMATION:
I. Background
DoD, GSA, and NASA are proposing to revise the FAR to incorporate
the NICE Workforce Framework for Cybersecurity (NICE Framework),
National Institute of Standards and Technology (NIST) Special
Publication 800-181 and additional tools to implement it at https://www.nist.gov/nice/framework, for describing workforce knowledge and
skill requirements used in contracts for information technology support
services and cybersecurity support services in line with Executive
Order (E.O.) 13870, America's Cybersecurity Workforce. E.O. 13870
requires agencies to incorporate the NICE Framework, NIST Special
Publication 800-181 into workforce knowledge and skill requirements
used in contracts for information technology and cybersecurity
services. DoD, GSA, and NASA are proposing to revise the FAR to ensure
that when acquiring information technology support services or
cybersecurity support services, agencies describe the cybersecurity
workforce tasks, knowledge, skills, and work roles to align with the
NICE Framework.
The NICE Framework is a nationally focused resource that
categorizes and describes cybersecurity work. The NICE Framework
establishes a common language that defines and categorizes
cybersecurity competency areas and work roles, including the knowledge
[[Page 298]]
and skills needed to complete tasks in those roles. It is a fundamental
resource in the development and support of a prepared and effective
cybersecurity workforce that enables consistent organizational and
sector communication for cybersecurity education, training, and
workforce development. The NICE Framework is intended to be applied in
the public, private, and academic sectors to grow the cybersecurity
capability of the U.S. Government, increase integration of the Federal
cybersecurity workforce, and strengthen the skills of Federal
information technology and cybersecurity practitioners.
II. Discussion and Analysis
DoD, GSA, and NASA are proposing to amend the FAR to define terms
that are referenced. As such, this rule proposes to amend FAR 2.101 by
adding a definition for ``cybersecurity'' and a definition for the
``NICE Workforce Framework for Cybersecurity (NICE Framework)''.
Previously known as the ``National Initiative for Cybersecurity
Education,'' NICE is now known only by its acronym.
For the acquisition of information technology support services
(e.g., backup and recovery services and technical support) or
cybersecurity support services (e.g., threat analysis, vulnerability
analysis, and digital forensics), the proposed rule implements the
following requirements to ensure agencies include the cybersecurity
workforce tasks, knowledge, skills, and work roles to align with the
NICE Framework in contracts:
FAR 7.105 is amended to require that agency acquisition
plans for the acquisition of information technology support services or
cybersecurity support services describe any cybersecurity workforce
tasks, knowledge, skills, and work roles to align with the NICE
Framework.
FAR 11.002 is amended to require that cybersecurity
workforce tasks, knowledge, skills, and work roles described in agency
requirements documents align with the NICE Framework. Agencies shall
also require offers, quotes, and reporting requirements (e.g.,
contractor deliverables) to align with the NICE Framework.
FAR 12.202 is amended to require, for the acquisition of
commercial products and commercial services, compliance with the
direction at FAR 11.002 for incorporating the NICE Framework in
requirements documents.
FAR 39.104 is amended to reference, for information
technology support services and cybersecurity support services, the
direction at FAR 11.002 for incorporating the NICE Framework in
requirements documents.
III. Applicability to Contracts at or Below the Simplified Acquisition
Threshold (SAT) and for Commercial Products (Including Commercially
Available Off-the-Shelf (COTS) Items) or for Commercial Services
This rule does not create new solicitation provisions or contract
clauses or impact any existing provisions or clauses.
IV. Expected Impact of the Rule
A. Requirement
This proposed rule implements requirements for agencies procuring
information technology support services and cybersecurity support
services to provide--
(1) The cybersecurity workforce tasks, knowledge, skills, and work
roles to align with the NICE Framework in their acquisition plans as a
security consideration;
(2) A description, in the requirements documents, of the
cybersecurity workforce tasks, knowledge, skills, and work roles to
align with the NICE Framework; and,
(3) Requirements for offers, quotes, and reporting requirements
(e.g., contract deliverables) to align with the NICE Framework.
B. Impact
Government. This rule will require agencies to become familiar with
the NICE Framework provided in NIST Special Publication 800-181 and
additional tools to implement it at https://www.nist.gov/nice/framework
in order to describe the cybersecurity workforce tasks, knowledge,
skills, and work roles when procuring information technology support
services and cybersecurity support services. Agencies are expected to
verify that offers, quotes, and reporting requirements (e.g., contract
deliverables) align with the NICE Framework. It is expected that this
will take place as a part of the Government's existing acquisition
process.
Public. This rule does not add any new information collection or
additional requirements for contractors. This rule requires contractors
to ensure contract deliverables are consistent with the NICE Framework
when specified for the acquisition of information technology support
services and cybersecurity support services.
Regulatory familiarization. It is expected that contractors
providing information technology support services and cybersecurity
support services will be required to become familiar with the NICE
Framework (NIST Special Publication 800-181 and additional tools to
implement it at https://www.nist.gov/nice/framework) which is estimated
to take 20 hours. Contractors may be required to update their policies
and procedures to comply with the NICE Framework requirements for
acquisitions of information technology support services and
cybersecurity support services. The cost to the public associated with
this rule is not expected to be significant because it is limited to
the cost of regulatory familiarization and the application of its
requirements to offers and quotes for information technology support
services and cybersecurity support services.
Based on data from the Federal Procurement Data System (FPDS) for
fiscal years (FY) 2021, 2022, and 2023, there was an average of 5,468
unique entities that were awarded contracts for information technology
services, of which 64 percent (3,490) are unique small entities.
Considering this information, the Government assumes that approximately
50 percent of the unique entities may be awarded a contract for
information technology support services or cybersecurity support
services. Therefore, it is estimated that 2,734 entities, of which
1,745 are unique small entities, would need to ensure that the contract
deliverables submitted to the Government, are consistent with the NICE
Framework. The Government has no way to estimate the number of entities
awarded non-information technology services awards that contain some
information technology support services requirements or cybersecurity
support services requirements.
V. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 (as amended by E.O. 14094) and 13563
direct agencies to assess the costs and benefits of available
regulatory alternatives and, if regulation is necessary, to select
regulatory approaches that maximize net benefits (including potential
economic, environmental, public health and safety effects, distributive
impacts, and equity). E.O. 13563 emphasizes the importance of
quantifying both costs and benefits, of reducing costs, of harmonizing
rules, and of promoting flexibility. This rule is not a significant
regulatory action and, therefore, was not subject to review under
section 6(b) of E.O. 12866, Regulatory Planning and Review, dated
September 30, 1993.
[[Page 299]]
VI. Regulatory Flexibility Act
DoD, GSA, and NASA do not expect this proposed rule, if finalized,
to have a significant economic impact on a substantial number of small
entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C.
601-612. However, an Initial Regulatory Flexibility Analysis (IRFA) has
been performed and is as follows:
1. Reasons for the action.
The reason for this proposed rule is to revise the Federal
Acquisition Regulation (FAR) to incorporate the NICE Workforce
Framework for Cybersecurity (NICE Framework), National Institute of
Standards and Technology (NIST) Special Publication 800-181 for
describing workforce knowledge and skill requirements used in
contracts for information technology support services and
cybersecurity support services in line with Executive Order (E.O.)
13870, America's Cybersecurity Workforce. E.O. 13870 directs
agencies to incorporate the NICE Framework lexicon and taxonomy into
workforce knowledge and skill requirements used in contracts for
information technology and cybersecurity services.
2. Objectives of, and legal basis for, the rule.
The objective of this rule is to strengthen the cybersecurity
workforce on Federal contracts by incorporating the cybersecurity
workforce tasks, knowledge, skills, and work roles into requirements
to align with the NICE Framework (NIST SP 800-181 and additional
tools to implement it at https://www.nist.gov/nice/framework).
The rule proposes to amend FAR 7.105 to add the NICE Framework
to the list of security considerations analyzed during acquisition
planning for information technology support services and
cybersecurity support services. The proposed rule also includes
amendments to FAR 11.002 to require agencies to provide workforce
knowledge and skill requirements and contract deliverables that are
consistent with the NICE Framework in their requirements
documentation.
The legal basis for the rule is E.O. 13870, America's
Cybersecurity Workforce. Promulgation of the FAR is authorized by 40
U.S.C. 121(c); 10 U.S.C. chapter 4 and 10 U.S.C. chapter 137 legacy
provisions (see 10 U.S.C. 3016); and 51 U.S.C. 20113.
3. Description of and an estimate of the number of small
entities to which the rule will apply.
Based on data from the Federal Procurement Data System (FPDS)
for fiscal years (FY) 2021, 2022, and 2023, there was an average of
5,468 unique entities that were awarded contracts for information
technology services, of which 64 percent (3,490) are unique small
entities. Considering this information, the Government assumes that
approximately 50 percent of the unique entities may be awarded a
contract for information technology support services or
cybersecurity support services. Therefore, it is estimated that
2,734 entities, of which 1,745 are unique small entities, would need
to ensure that the contract deliverables submitted to the Government
are consistent with the NICE Framework. The Government has no way to
estimate the number of entities awarded non-information technology
services awards that contain some information technology support
services requirements or cybersecurity support services
requirements.
4. Description of projected reporting, recordkeeping, and other
compliance requirements of the rule.
There are no reporting, recordkeeping, or other compliance
requirements in this rule.
5. Relevant Federal rules which may duplicate, overlap, or
conflict with the rule.
The rule does not duplicate, overlap, or conflict with any other
Federal rules.
6. Description of any significant alternatives to the rule which
accomplish the stated objectives of applicable statutes and which
minimize any significant economic impact of the rule on small
entities.
DoD, GSA, and NASA were unable to identify any alternatives that
would reduce the burden on small entities and still meet the
objectives of E.O. 13870.
The Regulatory Secretariat has submitted a copy of the IRFA to the
Chief Counsel for Advocacy of the Small Business Administration. A copy
of the IRFA may be obtained from the Regulatory Secretariat. DoD, GSA,
and NASA invite comments from small business concerns and other
interested parties on the expected impact of this proposed rule on
small entities.
DoD, GSA, and NASA will also consider comments from small entities
concerning the existing regulations in subparts affected by the rule in
accordance with 5 U.S.C. 610. Interested parties must submit such
comments separately and should cite 5 U.S.C 610 (FAR Case 2019-014), in
correspondence
VII. Paperwork Reduction Act
This rule does not contain any information collection requirements
that require the approval of the Office of Management and Budget under
the Paperwork Reduction Act (44 U.S.C. 3501-3521).
List of Subjects in 48 CFR Parts 2, 7, 11, 12, and 39
Government Procurement.
William F. Clark,
Director, Office of Government-wide Acquisition Policy, Office of
Acquisition Policy, Office of Government-wide Policy.
Therefore, DoD, GSA, and NASA propose amending 48 CFR parts 2, 7,
11, 12, and 39 as set forth below:
0
1. The authority citation for 48 CFR parts 2, 7, 11, 12, and 39
continues to read as follows:
Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 4 and 10 U.S.C.
chapter 137 legacy provisions (see 10 U.S.C. 3016); and 51 U.S.C.
20113.
PART 2--DEFINITIONS OF WORDS AND TERMS
0
2. Amend section 2.101 by adding in alphabetical order the definitions
``Cybersecurity'' and ``NICE Workforce Framework for Cybersecurity
(NICE Framework)''.
2.101 Definitions.
* * * * *
Cybersecurity means prevention of damage to, protection of, and
restoration of computers, electronic communications systems, electronic
communications services, wire communication, and electronic
communication, including information contained therein, to ensure its
availability, integrity, authentication, confidentiality, and
nonrepudiation (see National Security Presidential Directive/NSPD-54,
Homeland Security Presidential Directive/HSPD-23.)
* * * * *
NICE Workforce Framework for Cybersecurity (NICE Framework) means a
common language for describing cybersecurity work which expresses the
work as task statements and includes knowledge and skill statements
that provide a foundation for learners including students, job seekers,
and employees (see National Institute of Standards and Technology
Special Publication 800-181 and additional tools to implement it at
https://www.nist.gov/nice/framework).
PART 7--ACQUISITION PLANNING
0
3. Amend section 7.105 by revising paragraph (b)(18)(ii) to read as
follows.
7.105 Contents of written acquisition plans.
* * * * *
(b) * * *
(18) * * *
(ii)(A) For information technology acquisitions, discuss how agency
information security requirements will be met.
(B) For the acquisition of information technology support services
or cybersecurity support services, describe any cybersecurity workforce
tasks, knowledge, skills, and work roles to align with the NICE
Workforce Framework for Cybersecurity (NICE Framework) (National
Institute of Standards and Technology Special Publication 800-181 and
additional tools to implement it at https://www.nist.gov/nice/framework) in effect at the time the solicitation is issued (see
11.002(i)).
[[Page 300]]
PART 11--DESCRIBING AGENCY NEEDS
0
4. Amend section 11.002 by adding paragraph (i) to read as follows:
11.002 Policy.
* * * * *
(i) Agencies shall procure information technology support services
and cybersecurity support services in accordance with section 39.104.
Agencies shall--
(1) Ensure any cybersecurity workforce tasks, knowledge, skills,
and work roles described in the requirements documents are aligned with
the NICE Workforce Framework for Cybersecurity (NICE Framework)
(National Institute of Standards and Technology Special Publication
800-181 and additional tools to implement it at https://www.nist.gov/nice/framework) in effect at the time the solicitation is issued; and
(2) Require any offers, quotes, and reporting requirements (e.g.,
contract deliverables) to align with the NICE Framework in effect at
the time of the solicitation.
PART 12--ACQUISITION OF COMMERCIAL PRODUCTS AND COMMERCIAL SERVICES
0
5. Amend section 12.202 by adding paragraph (f) to read as follows:
12.202 Market research and description of agency need.
* * * * *
(f) When acquiring information technology support services or
cybersecurity support services, requirements documents shall describe
any cybersecurity workforce tasks, knowledge, skills, and work roles to
align with the NICE Workforce Framework for Cybersecurity (NICE
Framework) (see NIST Special Publication 800-181 and additional tools
to implement it at https://www.nist.gov/nice/framework) in effect at
the time the solicitation is issued (see 11.002(i) and 39.104(b)).
PART 39--ACQUISITION OF INFORMATION TECHNOLOGY
0
6. Revise section 39.104 to read as follows:
39.104 Information technology services.
(a) When acquiring information technology services, solicitations
must not describe any minimum experience or educational requirement for
proposed contractor personnel unless the contracting officer determines
that the needs of the agency--
(1) Cannot be met without that requirement; or
(2) Require the use of other than a performance-based acquisition
(see subpart 37.6).
(b) When acquiring information technology support services (e.g.,
backup and recovery services, technical support) or cybersecurity
support services (e.g., threat analysis, vulnerability analysis,
digital forensics), which are a subset of information technology
services, agencies must--
(1) Ensure any cybersecurity workforce tasks, knowledge, skills,
and work role requirements align with the NICE Workforce Framework for
Cybersecurity (NICE Framework) (National Institute of Standards and
Technology Special Publication 800-181 and additional tools to
implement it at https://www.nist.gov/nice/framework) in effect at the
time the solicitation is issued (see 11.002(i)); and
(2) Ensure any cybersecurity workforce tasks, knowledge, skills,
and work role requirements comply with paragraph (a) of this section.
[FR Doc. 2024-30504 Filed 1-2-25; 8:45 am]
BILLING CODE 6820-EP-P