AGENCY:

Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA).

ACTION:

Proposed rule.

SUMMARY:

DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to partially implement an Executive Order to standardize cybersecurity contractual requirements across Federal agencies for unclassified Federal information systems, and a statute on improving the Nation's cybersecurity.

DATES:

Interested parties should submit written comments to the Regulatory Secretariat Division at the address shown below on or before December 4, 2023 to be considered in the formation of the final rule.

ADDRESSES:

Submit comments in response to FAR Case 2021–019 to the Federal eRulemaking portal at https://www.regulations.gov by searching for “FAR Case 2021–019”. Select the link “Comment Now” that corresponds with “FAR Case 2021–019”. Follow the instructions provided on the “Comment Now” screen. Please include your name, company name (if any), and “FAR Case 2021–019” on your attached document. If your comment cannot be submitted using https://www.regulations.gov, call or email the points of contact in the FOR FURTHER INFORMATION CONTACT section of this document for alternate instructions.

Instructions: Please submit comments only and cite “FAR Case 2021–019” in all correspondence related to this case. Comments received generally will be posted without change to https://www.regulations.gov, including any personal and/or business confidential information provided. Public comments may be submitted as an individual, as an organization, or anonymously (see frequently asked questions at https://www.regulations.gov/​faq). To confirm receipt of your comment(s), please check https://www.regulations.gov, approximately two three days after submission to verify posting.

FOR FURTHER INFORMATION CONTACT:

For clarification of content, contact Ms. Carrie Moore, Procurement Analyst, at (571) 300–5917 or by email at carrie.moore@gsa.gov. For information pertaining to status, publication schedules, or alternative instructions for submitting comments if https://www.regulations.gov cannot be used, contact the Regulatory Secretariat Division at 202–501–4755 or GSARegSec@gsa.gov. Please cite FAR Case 2021–019.

SUPPLEMENTARY INFORMATION:

I. Background

DoD, GSA, and NASA are proposing to revise the FAR to provide standardized cybersecurity contractual requirements across Federal agencies for Federal information systems (FIS) by implementing: (1) recommendations received in accordance with paragraph (i) of section 2 of Executive Order (E.O.) 14028, “Improving the Nation's Cybersecurity,” dated May 12, 2021; and (2) paragraphs (a) and (b)(1) of section 7 of the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 (Pub. L. 116–207). Other aspects of section 2 of E.O. 14028 are being implemented in FAR Case 2021–017, Cyber Threat and Incident Reporting and Information Sharing. This rulemaking does not implement Office of Management and Budget Memorandum M–22–18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices, issued September 14, 2022.

The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public and private sectors' security and privacy. The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. With threats continuing to grow, this activity could yield costs of more than $1 trillion over a decade. In addition to the aggregate effect on the economy, the impact of a single cyber incident to an individual company can be crippling. An October 2020 study from the Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security (DHS), entitled “Cost of a Cyber Incident: Systematic Review and Cross-Validation,” indicates that the average per-incident cost to small businesses of less than 250 employees and medium-sized businesses of at least 250 employees, but less than 1,000 employees, could range from $5,000 to $226,000, and from $102,000 to $40 million for large businesses of 1,000 employees or more.

The Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions. Contractors must be able to adapt to the continuously changing threat environment, ensure products are built and operate securely, and coordinate with the Government to foster a more secure cyberspace. It also is essential that the Government—and its contractors—take a coordinated approach to complying with applicable security and privacy requirements, which are closely related, though they come from independent and separate disciplines. In the end, the trust the United States places in its digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences it will incur if that trust is misplaced.

The Government has a responsibility to protect and secure its computer systems, whether they are cloud-based, on-premises, or a hybrid of the two. The scope of that protection and security must encompass the systems that process data ( e.g., information technology (IT)) and those that run the vital machinery that ensures its safety ( e.g., operational technology (OT)). The Government contracts with IT and OT service providers to conduct an array of day-to-day functions on Federal Information Systems (FIS).

A FIS is an information system used or operated by an agency, by a contractor of an agency, or by another organization, on behalf of an agency. All FISs require protection as part of good risk management practices. Agencies are responsible for determining what information systems are FIS, in accordance with the definition provided in this rule.

Currently, contractual requirements for the cybersecurity standards of unclassified FISs are largely based on agency-specific policies and regulations. The risks associated with agency-specific policies can result in inconsistent security requirements across contracts, as well as be unclear, add costs, and restrict competition.

To address these risks, paragraph (i) of section 2 of E.O 14028 requires the DHS Secretary, acting through the Director of CISA, to review agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract and recommend to the FAR Council standardized contract language for appropriate cybersecurity Start Printed Page 68403 requirements. Paragraph (j) of section 2 of E.O. 14028 then directs that FAR Council to consider the contract language received from DHS and publish for public comment any proposed updates to the FAR. This proposed rule would implement the DHS recommendations across all Federal agencies to streamline requirements and improve compliance for contractors and the Government.

By standardizing a set of minimum cybersecurity standards to be applied consistently to FISs, the proposed rule would ensure that such systems are better positioned in advance to protect from cyber threats. In addition, and as required by paragraph (k) of section 2 of E.O. 14028, upon issuance of a final rule, agencies shall update their agency-specific requirements to remove any requirements that are duplicative of such FAR updates.

II. Discussion and Analysis

This proposed rule provides cybersecurity policies, procedures, and requirements for contractor services to develop, implement, operate, or maintain a FIS. This rule underscores that compliance with these requirements is material to eligibility and payment under Government contracts.

A contract to develop, implement, operate, or maintain a FIS may require contractors to utilize cloud computing services, services other than cloud computing services ( i.e., non-cloud computing services, also known as on-premises computing services), or a hybrid of both approaches when providing services under the contract. As such, this rule specifies the policies, procedures, and requirements that apply to each service approach ( i.e., a FIS that uses non-cloud computing services and a FIS that uses cloud computing services). When an acquisition requires the use of both non-cloud computing services and cloud computing services in performance of the contract, the rule would require compliance with the policies, procedures, and requirements for each service approach, as they respectively apply to the FIS.

This rule proposes to: (1) add a new FAR subpart 39.X, “Federal Information Systems,” to prescribe policies and procedures for agencies when acquiring services to develop, implement, operate, or maintain a FIS; (2) add and revise definitions in parts 2 and 39.X using current language from statute, regulation, Office of Management and Budget memoranda and circulars, and National Institute of Standards and Technology (NIST) Special Publications (SP) guidance; (3) make conforming changes to parts 4, 7, 37, and 39 to further implement policies and procedures described below; and (4) add two new FAR clauses to be used in contracts for services to develop, implement, operate, or maintain a FIS: FAR clause 52.239–YY, “Federal Information Systems Using Non-Cloud Computing Services,” which is included in solicitations and contracts that use non-cloud computing services in performance of the contract; and FAR clause 52.239–XX, “Federal Information Systems Using Cloud Computing Services,” which is included in solicitations and contracts that use cloud computing services in performance of the contract. The policies and requirements specified in this rule are discussed below.

A. FISs Using Non-Cloud Computing Services

FIPS Publication 199 Impact Level and Mandatory Security and Privacy Controls. As each requirement will vary in scope, as well as the function of each FIS, adequate security and privacy controls must be identified when agencies define their acquisition requirements. Agencies will use Federal Information Processing Standard (FIPS) Publication 199 to categorize the FIS based on its impact analysis of the information processed, stored, or transmitted by the system. As a result of the analysis, the FIPS Publication 199 impact level of the FIS, as well as a set of necessary security and privacy controls for the FIS, will be specified by the agency in the contract. As part of the security and privacy controls identified by the agency, the rule would require agencies to address multifactor authentication, administrative accounts, consent banners, Internet of Things device controls, and assessment requirements, when applicable, in every applicable contract. The proposed rule adds text to FAR part 7 to ensure that acquisition planners develop agency requirements in accordance with the rule's requirements.

Records Management and Government Access. To assist the Government: (1) in carrying out a program of inspection to safeguard against threats and hazards to the security and privacy of Government data, or (2) for the purpose of audits, investigations, inspections or similar activities, paragraph (c) of the clause 52.239–YY would require contractors to provide the Government's authorized representatives, which includes CISA (for civilian agencies) as well as other Federal agencies as specified by the contracting officer, with timely and full access to Government data and Government-related data, timely access to contractor personnel involved in performance of the contract, and specifically for the purpose of audit, investigation, inspection, or other similar activity, physical access to any contractor facility with Government data including any associated metadata. If the contractor receives a request for access from CISA, the contractor must confirm the validity of the request by contacting CISA and notifying the contracting officer in writing of the request for access.

Assessments. When a FIS is designated as a moderate or high FIPS Publication 199 impact level, paragraph (d) of the clause 52.239–YY would require contractors: (1) to conduct, at least annually, a cyber threat hunting and vulnerability assessment to search for vulnerabilities, risks, and indicators of compromise; and (2) to perform to an annual, independent assessment of the security of each FIS. Upon completion, contractors would submit the results of an assessment, including any recommended improvements or risk mitigations, to the contracting officer. The agency will review the results of the assessment. The agency may require the contractor to implement the recommended improvement or mitigation. The agency may provide the contractor with a rationale for not requiring the contractor to implement the recommendation or mitigation, and if so, the contractor would document the agency's rationale in the System Security Plan (SSP).

If the contractor contracts with a third-party assessment organization to perform these assessments, contractors must enter into a confidentiality agreement with the organization to protect Federal data under the contract. To assist with mitigating any potential conflicts of interest, the clause would also require contractors to notify the contracting officer of any existing business relationships the contractor may have with the organization.

Specification of Additional Security and Privacy Controls. Agencies will also specify in the requirement the security and privacy controls necessary for contract performance. In accordance with paragraph (e) of the clause 52.239–YY, the controls specified by the agency will be based on the current version of the following documents at the time of contract award: NIST SP 800–53, “Security and Privacy Controls for Information Systems and Organizations;” NIST SP 800–213 “IOT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements;” NIST SP 800–161, “Cybersecurity Start Printed Page 68404 Supply Chain Risk Management Practices for Systems and Organizations;” and NIST SP 800–82, “Guide to Industrial Control Systems Security.” Paragraph (e) also requires contractors to: (1) develop, review, and update, if appropriate, an SSP to support authorization of all applicable FIS, and (2) have contingency plans for all information technology systems, aligned to NIST SP 800–34, “Contingency Planning Guide for Federal Information Systems.” The rule does not require a specific format for the SSP, but NIST SP 800–34 provides information on a template that contractors may choose to use. Contractors will be expected to provide a copy of the SSP, as well as make contingency plans available, to an agency upon request.

In some situations, an information system may be designated as a high value asset by the agency. In accordance with paragraph (e) of the clause 52.239–YY, contractors will be subject to, as specified in the requirement, additional security and privacy controls for a high value asset, that could include the implementation of a high value asset overlay, immediate failover and/or recover plans, and complying with requisite cybersecurity assessments ( e.g., contractor cooperation and allowing access).

Additional considerations. For each non-cloud FIS developed, implemented, operated, or maintained, paragraph (f) of the clause 52.239–YY requires contractors to apply NIST SP guidance on various topics when performing or managing certain activities related to the FIS, including: managing information system risk when supporting agency risk management activities; developing risk management processes; conducting and communicating the results of risk assessments; designing zero trust architecture approaches; considering security when executing within the context of systems engineering; selecting, adapting, and using cyber resiliency constructs for new systems, system upgrades, or repurposed systems; implementing continuous monitoring strategies for FISs; and implementing digital identity services and requirements. Further, paragraph (f)(7) requires contractors to provide the Government with a copy of their continuous monitoring strategy for the FIS that demonstrates an ongoing awareness of information security, vulnerabilities, and threats in order to support risk management decisions, and applies the use of automation, wherever possible; protects vulnerability scan data, logs, and telemetry; and applies the guidance of NIST SP 800–137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.”

Cyber supply chain risk management. Paragraph (g) of the clause 52.239–YY advises that contractors may implement alternative, additional, or compensating cyber supply chain risk management security controls from those stated in the contract, when authorized in writing to do so by the contracting officer.

Notifiable incident reporting, incident response, and threat reporting. Paragraph (h) of the clause 52.239–YY reminds contractors that they must refer to FAR clause 52.239–ZZ, “Incident and Threat Reporting and Incident Response Requirements for Products or Services Containing Information and Communications Technology” (see FAR case 2021–017), for guidance on handling security incident and cyber threat reporting.

Other protections. Paragraph (i) of the clause 52.239–YY specifies the limitations on contractor access to, use, and disclosure of Government data, Government-related data, and metadata under the contract, and requires contractors to notify the contracting officer of any requests from an entity other than the contracting activity (including warrants, seizures, or subpoenas the contractor receives from another Federal, State, or local agency) for access to Government data, Government-related data, or any associated metadata. The clause also notifies contractors that they must also comply with applicable clauses, regulations, and laws regarding unauthorized disclosure.

Cryptographic Key Services. When providing cryptographic key services under the contract, paragraph (j) of the clause 52.239–YY requires contractors to provide the agency with applicable key material and services; however, the Government reserves the right to implement and operate its own cryptographic key services under the contract.

Operational Technology Equipment List. Paragraph (k) of the clause 52.239–YY requires contractors to develop and maintain a list of the physical location of all operational technology equipment included within the boundary for the non-cloud FIS and provide a copy to the Government, upon request. While the proposed rule does not specify a format for the operational technology equipment list, contractors must ensure that the list includes enough information about the equipment to positively locate and track any movement of the equipment during contract performance, including details on password protection and the ability for remote access to the equipment.

Binding Operational Directives and Emergency Directives. Paragraph (l) of clause 52.239–YY advises that contractors must comply with Binding Operational Directives (BODs) and Emergency Directives (EDs) issued by CISA that have specific applicability to a FIS used or operated by a contractor. A list of BODs and EDs can be found at https://www.cisa.gov/​directives. Occasionally, a BOD or ED with an explicit applicability to a FIS used or operated by a contractor will not need to apply to a contract. In such situations, the contracting officer will identify, in paragraph (l)(2) of the clause, any such BODs or EDs that are not applicable to the contract.

Indemnification. Paragraph (m) of the clause 52.239–YY indemnifies the Government from any liability that arises out of the performance of the contract and is incurred because of the contractor's introduction of certain information or matter into Government data or the contractor's unauthorized disclosure of certain information or material. The paragraph serves as a waiver of defense to change the analysis from negligence, which is the defense, to strict liability, which doesn't allow for a defense. The paragraph also provides terms and requirements in the event of a claim or suit against the Government for such an unauthorized disclosure or introduction of data or information. The proposed text was taken from industry terms of service agreements for cloud services providers.

Subcontracts. Paragraph (n) of the clause 52.239–YY advises contractors that the substance of the clause must be included in any subcontracts issued under the contract that are for services to develop, implement, operate, or maintain a FIS using non-cloud computing services.

Prohibition on IoT Devices. The rule also implements a portion of the “Internet of Things Cybersecurity Improvement Act of 2020” (Pub. L. 116–207), which prohibits agencies from procuring or obtaining, renewing a contract to procure or obtain, or using an IoT device if the agency's Chief Information Officer determines in certain situations that the use of such a device prevents compliance with NIST SP 800–213. The rule advises contracting officers at 39.X03–1(b) of the prohibition and how the prohibition may be waived by the head of the agency if certain criteria are met.

B. FIS Using Cloud Computing Services

When acquiring services to develop, implement, operate, or maintain a FIS Start Printed Page 68405 using cloud computing services, agencies will identify the FIPS Publication 199 impact level and the corresponding Federal Risk and Authorization Management Program (FedRAMP) authorization level for all applicable cloud computing services in the contract.

Safeguards, controls, and maintenance of certain systems within the United States. Paragraph (c) of the clause 52.239–XX requires contractors to implement and maintain the security and privacy safeguards and controls in accordance with the FedRAMP level specified by the agency, engage in continuous monitoring activities, and provide continuous monitoring deliverables as required for FedRAMP approved capabilities. More information on these deliverables can be found in the “FedRAMP Continuous Monitoring Strategy Guide” at https://www.fedramp.gov/​assets/​resources/​documents/​CSP_​Continuous_​Monitoring_​Strategy_​Guide.pdf.

Additionally, paragraph (c) specifies that, when a system is categorized as having FIPS Publication 199 high impact, contractors must maintain within the United States or its outlying areas (see FAR 2.101) all Government data that is not physically located on U.S. Government premises, unless otherwise specified in the contract.

Government data. Paragraph (f) of the clause 52.239–XX requires contractors to provide and dispose of Government data and Government-related data in the manner and format specified in the contract. Contractors must also provide confirmation to the contracting officer that such data has been disposed of in accordance with contract closeout procedures.

Other protections. Similar to the requirements for non-cloud FISs in clause 52.239–YY, the clause 52.239–XX: (1) at paragraph (c), reserves the Government's right to implement and operate its own cryptographic key services under the contract; (2) at paragraph (d), specifies the limitations on contractor access to, use, and disclosure of Government data and Government-related data under the contract; (3) at paragraph (e), requires contractors to handle security incident and cyber threat reporting in accordance with proposed FAR clause 52.239–ZZ; (4) at paragraph (f), specifies the terms for the Government's authorized representatives' access to Government and Government-related data, contractor personnel, and contractor facilities; (5) at paragraph (g), requires contractors to notify the contracting officer of any requests from a third-party (including another Federal, State, or local agency) for access to Government data and Government-related data; (6) at paragraph (h), requires contractors to indemnify the Government from any liability that arises out of the performance of the contract because of the contractor's introduction of certain information or matter into Government data or the contractor's unauthorized disclosure of certain information or material; and (7) at paragraph (i), specifies when to include the substance of the clause in subcontracts.

III. Applicability to Contracts at or Below the Simplified Acquisition Threshold (SAT) and for Commercial Products (Including Commercially Available Off-the-Shelf (COTS) Items) or for Commercial Services

This rule applies section 7 of the Internet of Things Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3e) to acquisitions valued at or below the SAT because of the “notwithstanding section 1905” in 15 U.S.C. 278g–3e(a)(2) which applies the Act to such acquisitions. This rule also applies to acquisitions for commercial products, including COTS items, and commercial services because Government data and systems require protection regardless of dollar value or commerciality of the product or service.

To implement paragraphs (a) and (b)(1) of section 7 of the Act, this rule adds a new policy at FAR 39.X02–1(b), Prohibited IoT devices in Federal information systems. The policy prescribed at FAR 39.X02–1(b) applies when agencies are acquiring IoT devices.

A. Applicability to Contracts at or Below the Simplified Acquisition Threshold

41 U.S.C. 1905 governs the applicability of laws to acquisitions at or below the SAT. Section 1905 generally limits the applicability of new laws when agencies are making acquisitions at or below the SAT, but provides that such acquisitions will not be exempt from a provision of law under certain circumstances, including when the FAR Council makes a written determination and finding that it would not be in the best interest of the Federal Government to exempt contracts and subcontracts in amounts not greater than the SAT from the provision of law. At the time of the final rule the FAR Council does not intend to make a determination to apply 15 U.S.C. 278g–3e to acquisitions at or below the SAT because paragraph (a)(2) of 15 U.S.C. 278g–3e expressly states that it applies to acquisitions in amounts not greater than the SAT; therefore, no additional determination is necessary under 41 U.S.C. 1905.

B. Applicability to Contracts for the Acquisition of Commercial Products and Commercial Services, Including Commercially Available Off-the-Shelf (COTS) Items

41 U.S.C. 1906 governs the applicability of laws to contracts for the acquisition of commercial products and commercial services, and is intended to limit the applicability of laws to contracts for the acquisition of commercial products and commercial services. Section 1906 provides that if the FAR Council makes a written determination that it is not in the best interest of the Federal Government to exempt commercial item contracts, the provision of law will apply to contracts for the acquisition of commercial products and commercial services.

41 U.S.C. 1907 states that acquisitions of COTS items will be exempt from certain provisions of law unless the Administrator for Federal Procurement Policy makes a written determination and finds that it would not be in the best interest of the Federal Government to exempt contracts for the procurement of COTS items.

At the time of the final rule the FAR Council intends to make a determination to apply 15 U.S.C. 278g–3e to acquisitions for commercial products and commercial services. At the time of the final rule, the Administrator for Federal Procurement Policy intends to make a determination to apply 15 U.S.C. 278g–3e to acquisitions for COTS items.

C. Determination(s)

This rule applies to acquisitions for commercial products, including COTS items, and commercial services, because Government data and systems require protection regardless of dollar value or commerciality of the product or service.

IV. Expected Impact of the Rule

The Government anticipates that this rule will reduce administrative costs for contractors interested in providing services to develop, implement, operate, or maintain a FIS. Over time, the FAR Council anticipates this proposed rule, once finalized, will increase competition by establishing a common set of policies and procedures that apply to FISs.

Establishing uniform requirements for the Government and contractors regarding FISs will significantly assist the Government in protecting Federal information and systems from malicious cyber campaigns that threaten the public and private sectors' security and Start Printed Page 68406 privacy. Currently, contract requirements for the cybersecurity standards of unclassified FISs are largely based on agency-specific policies and regulations, which can lead to inconsistent security requirements across contracts and unclear, inconsistent, or overly restrictive guidance to contractors. This rule will provide a more consistent and streamlined implementation of cybersecurity standards across the Federal Government.

A. Affected Entities

This rule proposes two new contract clauses for use when acquiring services to develop, implement, operate, or maintain a FIS. Specifically, the contracting officer will include—

• The clause at FAR 52.239–YY, Federal Information Systems Using Non-Cloud Computing Services, in solicitations and contracts that use or may use non-cloud computing services in performance of the contract; and
• The clause at FAR 52.239–XX, Federal Information Systems Using Cloud Computing Services, in solicitations and contracts that use or may use cloud computing services in performance of the contract.

According to subject matter experts, there are approximately 140 non-cloud FISs currently being operated or maintained by contractors on behalf of the Government. For this estimate, the Government conservatively assumes that the services for each of these non-cloud FISs are awarded on individual contracts and that each contract is awarded to a unique entity. It is assumed that each of these contracts have a five-year period of performance, and that the Government evenly awards the estimated 140 contracts over a five-year period (20 percent each year). Therefore, the Government estimates it awards 28 contracts ((20 percent * 140 non-cloud FISs) * 1 contract/FIS) to 28 unique contractors (28 contracts = 28 unique entities) annually for the development, implementation, operation, or maintenance of a non-cloud FIS on behalf of the Government.

According to FedRAMP data and subject matter experts, there are approximately 280 unique FedRAMP-authorized and ready cloud service offerings available to the Federal Government. For this estimate, the Government will award approximately 280 contracts for cloud services impacted by this rule over a five-year period (20 percent each year). Based on the number of FedRAMP-authorized offerings, the Government estimates that there are approximately 56 new or revised FIS offerings (20 percent * 280 cloud service offerings) each year for which the Government contracts. For this estimate, the Government assumes: the number of new or revised FIS offerings the Government contracts for each year is equivalent to the number new FIS impacted by this rule annually; one service provider is responsible for executing all the requirements of this rule for a FIS; and that each FIS is being serviced by a different contractor. Therefore, the Government estimates that 56 unique entities will be awarded a contract annually for the development, implementation, operation, or maintenance of a cloud FIS on behalf of the Government.

Based on the input of subject matter experts, the Government further estimates that:

• Of the 28 contractors that will be awarded a contract each year to operate or maintain a non-cloud FIS, approximately three (10 percent) are small businesses and 25 (90 percent) are other than small businesses.
• Of the 56 contractors that will be awarded a contract each year to operate or maintain a cloud FIS, approximately three (five percent) are small businesses and 53 (95 percent) are other than small businesses.

B. Contractor Compliance Requirements and Estimate of Cost

The total estimated annualized public costs associated with this FAR rule over a ten-year period (calculated at a 7-percent discount rate) are approximately $55 million annually, or $388 million in net present value, based on the discussion in paragraphs IV.B.1. through IV.B.7 below.

The following compliance requirements in FAR clause 52.239–YY and 52.239–XX are considered new to the FAR for all Federal contractors that develop, implement, operate, or maintain a FIS using cloud or non-cloud computing services, as applicable:

1. Regulatory Familiarization

The new FAR clauses are prescribed for use in solicitations and contracts for services to develop, implement, operate, or maintain a FIS. It is expected that all 84 contractors (28 non-cloud FIS contractors + 56 cloud FIS contractors) awarded a contract annually for these services will need, to some degree, to become familiar with the various compliance requirements of the FAR, as well as the requisite and applicable NIST SP guidelines, FIPS Publication standards, CISA BODs and EDs, and FedRAMP requirements, to be prepared to implement and maintain the cybersecurity standards and requirements for a FIS in performance of a Federal contract. It is assumed that most contractors will be familiar with, to some degree, some or all these documents.

Offerors will also need to be familiar with these requirements before submitting a proposal to provide such services. For each of the 84 contractors that receive a contract annually for these services, the Government estimates that, on average, two other offerors, or a total of 168 offerors (84 contractor awards * 2 unsuccessful offerors) will familiarize themselves with the clause requirements, submit a proposal, but will not receive a contract award.

As a result, it is expected that all 252 (84 contractors + 168 offerors) of these contractors and offerors will be required to become familiar with the various compliance requirements of the rule.

It is estimated that it will take each offeror or contractor eight hours, on average, to review the rule and gain a basic understanding these new requirements. The average wage rate of a contractor employee is estimated to be $57.28 per hour, which is the average of the mean wages reported by the Bureau of Labor Statistics (BLS) for various occupational categories that design, analyze, maintain, and oversee information systems for an organization. A factor of 42 percent, based on the BLS Employer Costs for Employee Compensation Summary dated March 17, 2023 ( https://www.bls.gov/​news.release/​ecec.nr0.htm), is applied to the average wage rate to account for total employee benefits paid for by the employer ($57.28 * 1.42 = $81.34), and a factor of 12 percent is then applied to the rate of $81.34 to account for employer overhead, which results in a loaded rate of $91.10 ($81.34 * 1.12) for FIS occupations.

Therefore, the estimated cost for 252 contractors and offerors to familiarize themselves with the rule in year one is approximately $183,700 (252 contractors and offerors * 8 hours/entity * $91.10/hour). The cost accounts for the time needed to comprehend the text of the rule, as well as locate and generally review the requirements within each of the cited documents in the rule.

2. Compliance With NIST Guidelines

All 28 contractors that develop, implement, operate, or maintain a FIS using non-cloud computing services are required by paragraphs (e) and (f) of the new clause 52.239–YY to use or apply various NIST SP guidelines for managing risk, security, and privacy, as applicable. The extent to which each of these guidance documents needs to be implemented by a contractor depends Start Printed Page 68407 on many variables, including: the extent to which the guidance is already implemented in the contractor's existing practices; the scope and requirements of each contract; the knowledge and expertise of the contractor's employees; the manner in which a contractor chooses to implement a requirement; and the resources and tools available to the contractor in performing the contract.

Based on the discussion in paragraphs IV.B.2.i. through IV.B.2.x. below, the total annual estimated cost for 28 contractors, as applicable, awarded a contract to develop, implement, operate, or maintain an existing or custom-build, non-cloud FIS on behalf of the Government, to comply with NIST guidelines in year one is approximately $19.6 million, and approximately $12 million each subsequent year for annual maintenance to remain compliant with existing NIST guidelines.

The cost for complying with NIST guidelines accounts for the time it takes contractors to closely read through the documents, analyze the requirements against the current state and identify any necessary changes, and implement and document the change, as needed.

i. NIST SP 800–53. The effort and resources a contractor will expend to comply with NIST SP 800–53 will also vary depending on whether the affected FIS is an existing system or a system that will be custom built to Government specifications.

Existing systems already implement some of the guidelines required by the clause or their implementation has been accepted by the Government, while custom-built systems have no pre-existing controls in place and will require a greater amount of effort and resources to be compliant with the clause. The Government estimates that of the 28 contractors annually awarded a contract to develop, implement, operate, or maintain a non-cloud FIS, approximately six contractors (20 percent) are awarded a contract involving a custom-build system, while the remaining 22 contractors (80 percent) are awarded a contract involving an existing system.

Contractors awarded a contract involving an existing non-cloud FIS are anticipated to expend between 2,300 and 6,500 hours and $218,000 and $683,000 in labor and materials in year one to implement, and between $127,000 and $478,000 each following year to maintain compliance with NIST SP 800–53. The cost and effort to implement and maintain compliance will vary by contractor depending on various factors, including: the complexity of the information system; the availability of employees with the requisite knowledge and skills to implement the necessary controls; the need to install hardware or software, and the chosen solution, as well as the number of users impacted, the types of devices used, and the complexity of the contractor's network.

Contractors awarded a contract involving a custom build non-cloud FIS will expend between 3,000 and 7,300 hours and between $308,000 and $976,000 in labor and materials in year one to implement, and between $126,000 and $478,000 each following year to maintain compliance with NIST SP 800–53. The cost and effort to maintain compliance will vary by contractor based on the factors discussed above.

ii. NIST SP 800–213. This document provides high level guidance that refers readers to other NIST SP documents addressed in this rule. Contractors may reference this guidance when their contracts involve IoT devices. As such, the Government assumes that a small percentage of the 28 contractors awarded a contract involving a non-cloud FIS, whose contract also involves IoT devices, may refer to this publication for direction to more detailed policy and guidance regarding the devices; However, the Government does not anticipate contractors expending significant effort reading and familiarizing themselves with the publication and considers these costs to be de minimis.

iii. NIST SP 800–39. NIST SP 800–39 identifies the Government's risk management responsibilities related to information systems. All contractors awarded a contract involving a non-cloud FIS will need to be aware of the requirements of the publication to adequately support the non-cloud FIS on behalf of the Government. As such, the Government assumes all 28 contractors awarded a contract involving a non-cloud FIS will expend effort to read and become more familiar with the publication. It is estimated that a contractor will expend approximately 4 hours reading NIST SP 800–39 in year one to become more familiar with its contents. Using an average loaded wage rate of $91.10 for FIS occupations, the total estimated labor cost for a contractor to comply with NIST SP 800–39 is approximately $370(4 hours * $91.10).

iv. NIST SP 800–37. Contractors will reference this guidance to develop a high-level process to manage system risk through preparation, categorization, control selection, control implementation and assessment, system authorizations, and continuous monitoring. This guidance applies to contracts involving a custom-build system. As such, the Government assumes all 6 contractors awarded a contract involving a custom-build, non-cloud FIS will expend effort to comply with this guidance.

It is estimated that, in year one, a contractor will expend approximately 8 hours reading and ensuring the processes they develop incorporate the high-level guidance of NIST SP 800–37. Using an average loaded wage rate of $91.10 for FIS occupations, the total estimated labor cost for a contractor to comply with NIST SP 800–37 is approximately $730 (8 hours * $91.10).

v. NIST SP 800–207. Contractors will reference this guidance when designing a zero-trust architecture approach for a system. This guidance applies to contracts involving a custom-build system; However, this document is very high level and applies to custom-build requirements in limited circumstances. For these reasons, the Government does not anticipate most contractors needing to read and familiarize themselves with the publication, as its application is unlikely in most custom-build contracts and, in such circumstances, any time spent reviewing the guidance will be very minimal.

vi. NIST SP 800–160, Volume 1. This guidance applies to contracts involving a custom-build system. Contractors will reference the current version of this guidance for considerations, concepts, tasks, and activities to be taken when designing a system. As such, the Government assumes all 6 contractors awarded a contract involving a custom-build, non-cloud FIS will expend effort to read and familiarize themselves with the publication and make any requisite adjustments to their security design process to be compliant with the guidance.

It is estimated that a contractor will expend approximately 40 hours reading to become more familiar and adjusting the FIS design process to comply with NIST SP 800–160 Volume 1 in year one. Using an average loaded wage rate of $91.10 for FIS occupations, the total estimated labor cost for a contractor to comply with NIST SP 800–160 Volume 1 is approximately $3,600 (40 hours * $91.10).

vii. NIST SP 800–160, Volume 2. When requested by the Government, contractors will reference the current version of this guidance to select, adapt, and use cyber resiliency constructs for new systems, system upgrades, or repurposed systems. This guidance applies to contracts involving a custom-build system. As such, the Government assumes all 6 contractors awarded a Start Printed Page 68408 contract involving a custom-build, non-cloud FIS will expend effort to read and become more familiar with the publication.

It is estimated that a contractor will expend approximately 16 hours reading NIST SP 800–160 Volume 2 to become more familiar with its requirements in year one. Using an average loaded wage rate of $91.10 for FIS occupations, the total estimated labor cost for a contractor to comply with NIST SP 800–160 Volume 2 is $1,500(16 hours * $91.10).

viii. NIST SP 800–30. Contractors will reference the current version of this guidance to develop and ensure existing processes prepare for, conduct, communicate results from, and maintain risk assessments over time. This guidance is applicable to all contracts involving a custom-build system, as these processes will need to be developed for those FIS, as well as some contracts involving existing systems where current processes need to be modified to comply with the guidance. As such, the Government assumes all 6 contractors awarded a contract involving a custom-build, non-cloud FIS, and 4 (20 percent * 22) contractors awarded a contract involving an existing, non-cloud FIS will expend effort to read and better familiarize themselves with the publication and develop new or adapt existing processes to the guidance of NIST SP 800–30.

Some contractors awarded a contract involving a non-cloud FIS will reference NIST SP 800–30 to develop and ensure risk assessment processes and procedures for the system incorporate the requirements of the publication. It is estimated that all 6 contractors awarded a contract involving a non-cloud, custom-build FIS, as well as 4 contractors (20 percent) awarded a contract involving an existing non-cloud FIS will expend approximately 120 hours (3 employees * 8 hours/day * 5 days) reading to become more familiar with and developing or adjusting processes and procedures to comply with NIST SP 800–30 in year one. Using an average loaded wage rate of $91.10 for FIS occupations, the total estimated labor cost for a contractor to comply with NIST SP 800–30 is approximately $10,900 (120 hours * $91.10).

ix. NIST SP 800–63–3. Contractors may reference the current version of this guidance for more specific information regarding NIST SP 800–53 controls. As such, the Government assumes that the 28 contractors awarded a contract involving a non-cloud FIS will read and better familiarize themselves with this publication in conjunction with and as a part of their familiarization efforts and costs for NIST SP 800–53.

x. NIST SP 800–34. Contractors will reference the current version of this guidance to align its contingency plans for all IT systems to the requirements of NIST SP 800–34. This guidance will be applicable to all contracts involving a custom-build system, as these plans will need to be developed for when a new non-cloud FIS is being designed, as well as some contracts involving existing systems where current plans need to be modified to comply with the guidance. As such, the Government assumes all 6 contractors awarded a contract involving a custom-build, non-cloud FIS and 4 (20 percent * 22) of the contractors awarded a contract involving an existing, non-cloud FIS will expend effort to read and better familiarize themselves with the publication and develop new or adapt existing plans to the guidance of NIST SP 800–34.

Some contractors awarded a contract involving a non-cloud FIS will reference this guidance when developing new contingency plans for custom-build FISs and reviewing plans for some existing FISs to ensure the contractor's IT systems meet the requirements set forth in NIST SP 800–34. It is estimated that all 6 contractors awarded a contract involving a non-cloud, custom-build FIS, as well as 4 (20 percent) contractors awarded a contract involving an existing non-cloud FIS will expend approximately 120 hours (3 employees * 8 hours/day * 5 days) reading to become more familiar with and developing or adjusting plans to comply with NIST SP 800–34 in year one. Using an average loaded wage rate of $91.10 for FIS occupations, the total estimated labor cost for a contractor to comply with NIST SP 800–34 is $10,900(120 hours * $91.10).

3. Annual Assessments of the FIS

Paragraph (d) of the new clause 52.239–YY requires a contractor that develops, implements, operates, or maintains a FIS using non-cloud computing services and that FIS is designated as a moderate or high FIPS Publication 199 impact, to perform an annual, independent assessment of the security of each FIS, which includes an architectural review and penetration testing of the FIS. The contractor must also conduct, at least annually, cyber threat hunting and vulnerability assessment to search for cybersecurity risks, vulnerabilities, and indicators of compromise. Contractors are required to provide the contracting officer with the results of both assessments, including any recommended improvements or risk mitigations identified for the FIS. If the Government chooses not to require the contractor to implement a recommended improvement or risk mitigation and provides the contractor with a rationale for not implementing the recommendation, the contractor is required to document the Government's rationale for not implementing the recommendation in the contractor's system security plan.

Of the 140 non-cloud FISs currently being operated or maintained by contractors on behalf of the Government, the Government estimates that approximately 95 percent of those systems are designated as moderate or high FIPS 199 impacts. Applying that percentage to the estimated number of contractors annually awarded a contract to develop, implement, operate, or maintain a non-cloud FIS, it is estimated that 27 contractors (95 percent * 28 contractors) will be subject to the annual assessment requirements.

Based on the discussion in paragraphs IV.B.3.i. through IV.B.3.iii. below, the total annual estimated cost for 27 contractors that operate or maintain a non-cloud FIS designated as a moderate or high FIPS 199 impact to comply with the annual assessment requirements of the rule is approximately $6.6 million (27 contractors * ($112,000 + $132,000 + $182)). The cost of the annual assessments accounts for the time it takes contractors to prepare for, conduct, document, review, and submit an assessment.

i. Annual Independent Architectural Review and Penetration Test. This annual assessment includes an architectural review of the FIS, as well as penetration testing of the system. Based on the input of subject matter experts, the Government estimates the annual cost for a contractor to obtain an independent security assessment and architectural review of a FIS is approximately $52,000.

The Government estimates that four senior level employees will expend a total of 320 hours (4 individuals * 8 hours * 10 days) to complete the penetration testing of a FIS. According to subject matter experts, the average loaded wage rate of for a penetration tester is $250.00. The Government estimates the annual cost for a contractor to obtain independent penetration testing of a FIS is $80,000 (320 hours * $250).

Together, the annual cost to a contractor to obtain an independent assessment of the security of a FIS is approximately $132,000 ($52,000 + 80,000).

ii. Cyber Threat Hunting and Vulnerability Assessment. The Start Printed Page 68409 Government estimates that four senior level employees will expend a total of 448 hours (4 individuals * 8 hours * 14 days) to complete cyber threat hunting and the vulnerability assessment of a FIS. Using an average loaded wage rate of $250.00 for a cyber threat hunter/vulnerability assessor, the Government estimates the annual cost for a contractor to conduct a cyber threat hunting and vulnerability assessment of a FIS is approximately $112,000 (448 hours * $250).

iii. Submission of Assessments. The Government estimates a contractor will spend one hour preparing and submitting each assessment to the Government. Using an average loaded wage rate of $91.10 for FIS occupations, the total annual estimated cost for a contractor that operates or maintains a non-cloud FIS designated as a moderate or high FIPS 199 impact to submit both assessments to the Government is approximately $182 (1 hour * 2 responses * $91.10).

4. Submission of a Continuous Monitoring Strategy

Paragraph (f)(7) of the new clause 52.239–YY requires a contractor that develops, implements, operates, or maintains a non-cloud FIS to provide the Government with a continuous monitoring strategy for the FIS (as developed under NIST SP 800–53) that demonstrates an ongoing awareness of information security, vulnerabilities, and threats in order to support risk management decisions, and applies the use of automation, wherever possible; protects vulnerability scan data, logs, and telemetry; and applies the guidance of NIST SP 800–137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.”

All 28 contractors awarded a contract involving a non-cloud FIS will be required to develop or update their continuous monitoring strategy to meet the requirements of this rule. Many contractors will have developed a continuous monitoring strategy to comply with the guidance in NIST 800–53; however, those plans may need to be revised to demonstrate a continuous monitoring strategy. The Government estimates a contractor will spend, on average, 160 hours developing and/or documenting a continuous monitoring strategy, revising their existing strategy, as needed, and submitting the strategy to the Government. Using an average loaded wage rate of $91.10 for FIS occupations, the total annual estimated cost for a contractor that operates or maintains a non-cloud FIS to submit a continuous monitoring strategy to the Government is approximately $14,600 (160 hours * $91.10).

Based on the information above, the total annual estimated cost for 28 contractors that design, develop, operate, or maintain a non-cloud FIS to comply with the requirement for a continuous monitoring strategy in year one is approximately $408,000 (28 contractors * 160 hours * $91.10). The cost of the continuous monitoring strategy accounts for the time needed to analyze, develop, and document a strategy or review an existing strategy and make revisions, and prepare and submit the strategy to the Government.

5. Develop and Maintain a List of Operational Technology Equipment

Paragraph (k) of the new clause 52.239–YY requires all contractors that develop, implement, operate, or maintain a FIS using non-cloud computing services to develop and maintain a list of the physical location and other pertinent data on all of the operational technology (OT) equipment included within the boundary of the FIS. Contractors must provide the Government with a copy of the current and/or historical lists, upon request. All 28 contractors awarded a contract involving a non-cloud FIS will be required to develop, submit, and maintain a list of OT equipment.

The Government estimates that a contractor will expend approximately 80 hours developing the list in year one, and 40 hours updating and maintaining the list each year thereafter. Using an average loaded wage rate of $91.10 for FIS occupations, the annual estimated cost for a contractor that operates or maintains a non-cloud FIS to develop a list of OT equipment is approximately $7,300 (80 hours * $91.10), and approximately $3,600 to maintain the list thereafter.

It is estimated that the Government will annually request 6 (20 percent * 28 contractors) contractors provide a copy of the OT equipment list to the Government. It is estimated that a contractor will spend one hour preparing and submitting the list to the Government. Using an average loaded wage rate of $91.10 for FIS occupations, the total annual estimated cost for contractors to submit the OT equipment lists to the Government is approximately $550 (6 contractors * 1 hours * $91.10).

Based on the discussion above, the total annual estimated cost for 28 contractors that develop, implement, operate, or maintain a non-cloud FIS to develop the required OT equipment list in year one is approximately $204,000 (28 contractors * 80 hours * $91.10), and approximately $102,000 (28 contractors * 40 hours * $91.10) each following year to maintain the list annually. The cost accounts for the time needed to identify the requisite equipment, gather the required data, and document or update the information.

6. Binding Operational Directives and Emergency Directives

Paragraph (l) of the new clause 52.239–YY requires all contractors that develop, implement, operate, or maintain a FIS using non-cloud computing services to comply with any BODs or EDs issued by CISA that have a specific applicability to a FIS used or operated by a contractor. All 28 contractors awarded a contract involving a non-cloud FIS will be required to comply with CISA BODs and EDs. Currently, there are approximately 15 BODs and 10 EDs posted on CISA's cybersecurity directives website. The Government anticipates that contractors have already implemented all or some of the requirements of all or some BODs or EDs, as part of their company's cybersecurity health. As a result, the Government estimates that the requirements of approximately half of the BODs, or 8 BODS, and EDs, or 5 EDs, will still need to be implemented by a contractor because of this rule in year one. The Government estimates that approximately 3 new BODs or EDs will be issued, and need to be implemented by contractors, in each following year.

The requirements of the BODs and EDs vary in depth, scope, and complexity depending on the topic and issue being addressed. For this reason, subject matter experts estimate that, on average, it costs a contractor $10,000 to implement a new BOD or ED. As a result, the total annual estimated cost for a contractor that operates or maintains a non-cloud FIS to implement existing CISA BODs and EDs in year one is approximately $130,000 (13 × $10,000), and approximately $30,000 to implement new BODs or EDs issued each following year.

Based on the discussion above, the total annual estimated cost for 28 contractors that develop, implement, operate, or maintain a non-cloud FIS to implement the requirements of CISA BODs and EDs in year one is approximately $3,640,000 (28 contractors * 13 BODs and EDs * $10,000), and approximately $840,000 (28 contractors * 3 BODs & EDs * $10,000) each following year to maintain the list annually. The cost accounts for the time needed to identify Start Printed Page 68410 and implement the requisite requirements, as well as any material cost.

7. FedRAMP Cloud Computing Security and Privacy Requirements

The new clause 52.239–XX requires contractors that develop, implement, operate, or maintain a FIS using cloud computing services to implement and maintain security and privacy safeguards and controls for the system in accordance with the FedRAMP level specified in the contract, as well as certain requirements on multifactor authentication, administrative accounts, and consent banners specified in the contract. All 56 contractors awarded a contract to develop, implement, operate, or maintain a cloud FIS on behalf of the Government will expend effort and resources to be compliant with cloud computing security requirements at the FedRAMP level specified in the contract and certain requirements specified in the contract.

FedRAMP safeguards and controls are based upon the requirements of NIST SP 800–53 and specify the requirements that must be met for a cloud offering depending on the designation of the information system as a low, moderate, or high FIPS 199 impact level, which then equates to a single FedRAMP impact level. Based on a survey of the FedRAMP Marketplace website, most of the FedRAMP-authorized cloud service providers offer solutions designated as moderate FedRAMP impact level; Therefore, the Government bases the effort and resources needed to implement the requirements of FAR clause 52.239–XX on a cloud FIS designated as a FedRAMP moderate impact level.

The safeguards and controls required to meet a FedRAMP moderate impact level include and build upon the NIST SP 800–53 requirements for existing non-cloud FIS systems. As such, the rule uses the costs to implement NIST SP 800–53 for non-cloud FIS as a starting point and then accounts for the additional costs and impacts for contractors to implement approximately 16 additional NIST SP 800–53 controls, which are not required for non-cloud FISs, to be compliant with FedRAMP moderate impact level requirements. Subject matter expects estimate that the effort to implement these 16 additional controls, and those requirements for multifactor authentication, administrative accounts, and consent banners, is approximately 25 percent of the total estimated hours and cost to implement NIST SP 800–53.

Therefore, contractors awarded a contract involving a cloud FIS are anticipated to expend between 2,900 (2,300 hours * 1.25) and 8,200 hours (6,500 hours * 1.25) and $273,000 ($218,000 * 1.25) and $854,000 ($683,000 * 1.25) in labor and materials in year one to implement, and between $158,000 ($127,000 * 1.25) and $598,000 (478,000 * 1.25) each following year to maintain compliance with NIST SP 800–53 and the contract requirements on multifactor authentication, administrative accounts, and consent banners.

Based on the discussion above, the total annual estimated cost for 56 contractors that develop, implement, operate, or maintain a cloud FIS to maintain compliance with FedRAMP requirements, and the requirements specified in the contract as identified above, in year one is approximately $46 million, and approximately $32,000,000, each following year to maintain compliance with FedRAMP requirements and the contract, as specified. The cost of the compliance includes the time needed to read and implement NIST SP 800–53 requirements, as well as the additional NIST SP 800–53 controls needed to be compliant with FedRAMP and the contract requirements regarding multifactor authentication, administrative accounts, and consent banners.

The following is a summary of the total initial and subsequent year costs to the public as described in section IV.

C. Government Compliance Requirements

The total estimated annualized costs to the Government associated with this FAR rule over a ten-year period are approximately $136,000 (calculated at a 7-percent discount rate).

The following specific compliance requirements related to FAR clause 52.239–XX and 52.239–YY are tasks for the Government:

1. Review and Analyze Annual Assessments

The Government must review and analyze each of the 54 assessments provided by contractors annually (see 39.X03(c)) and provide a recommendation to the contractor to implement, or a rationale for not implementing, each recommendation in the contractor's assessments.

It is estimated that a General Schedule (GS) 15/step 5 employee will spend 20 hours reviewing, analyzing, and drafting recommendation responses for each assessment. The wage rate of a GS 15/step 5 employee is $74.35 per hour, according to the Office of Personnel Management (OPM) 2023 GS Locality Pay Table for the rest of the United States ( https://www.opm.gov/​policy-data-oversight/​pay-leave/​salaries-wages/​salary-tables/​pdf/​2023/​RUS_​h.pdf). A factor of 36.25 percent, based on OMB M–08–13, Update to Civilian Position Full Fringe Benefit Cost Factor, is applied to the average wage rate to account for total employee benefits paid for by the Government ($74.35 * 1.3625 = $101.30), and a factor of 12 percent is then applied to the rate of $101.30 to account for overhead, which results in a loaded rate of $113.46 ($101.30 * 1.12).

Based on the discussion above, the total annual estimated cost for the Government to review, analyze, and Start Printed Page 68411 respond to 54 annual assessment submissions each year is approximately $122,537 (54 responses * 20 hours * $113.46).

2. Review List of Operational Technology Equipment

Upon submission, the Government must review approximately six lists of OT equipment submitted by contractors each year (see 39.X03(k)).

It is estimated that a GS 15/step 5 employee will spend 20 hours reviewing, analyzing, and processing a contractor's submission. Using an average loaded wage rate of $113.46 for GS Schedule 15/step 5 employees, the total annual estimated cost for the Government to review, analyze, and file six OT equipment list submissions each year is approximately $13,615 (6 responses * 20 hours * $113.46).

3. Review Continuous Monitoring Strategy

Upon submission, the Government must review approximately 28 continuous monitoring strategies provided by contractors each year (see 39.X03(f)). It is estimated that a GS 15/step 5 employee will spend 20 hours reviewing, analyzing, and processing a contractor's submission. Using an average loaded wage rate of $113.46 for GS 15/step 5 employees, the total annual estimated cost for the Government to review, analyze, and file 28 continuous monitoring strategy submissions each year is approximately $63,538 (28 responses * 20 hours * $113.46).

V. Executive Orders 12866 and 13563

Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This rule is a significant regulatory action under E.O. 12866, and therefore, was subject to review under Section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993.

VI. Regulatory Flexibility Act

DoD, GSA, and NASA do not expect this proposed rule, when finalized, to have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601–612, because the rule applies to a small number of entities that develop, implement, operate, or maintain a FIS on behalf of the Government. However, an Initial Regulatory Flexibility Analysis (IRFA) has been performed and is summarized as follows:

DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to implement standardized cybersecurity contractual requirements across Federal agencies for unclassified Federal Information Systems (FIS) pursuant to recommendations received in accordance with paragraph (i) of section 2 of E.O. 14028, “Improving the Nation's Cybersecurity,” dated May 12, 2021.

The objective of this rule is to implement standardized cybersecurity requirements in Federal contracts for services to develop, implement, operate, or maintain a FIS on behalf of the Government. This rule will help protect and secure FISs, while streamlining the cybersecurity requirements for applicable contracts and improving contractor and Federal compliance with cybersecurity requirements for these systems. The legal basis for this rule is paragraph (i) of section 2 of Executive Order 14028, “Improving the Nation's Cybersecurity,” dated May 12, 2021; and paragraphs (a) and (b)(1) of section 7 of the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 (Pub. L. 116–207). Promulgation of FAR regulations is authorized by 40 U.S.C. 121(c); 10 U.S.C. chapter 4 and 10 U.S.C. chapter 137 legacy provisions (see 10 U.S.C. 3016); and 51 U.S.C. 20113.

This proposed rule will impact small businesses awarded a contract to develop, implement, operate, or maintain a FIS on behalf of the Government. The Government acknowledges that large businesses awarded a contract for such services may further subcontract some of the services that are subject to the requirements of the clauses. As such, the Government estimates that up to an additional seven small business entities may receive a subcontract to develop, implement, operate, or maintain a FIS under a prime contract for the same services.

The responsibilities prescribed to contractors under this rule apply per FIS, not per contractor or subcontractor. Multiple entities will not be responsible for implementing or executing the same requirement for the same FIS; As such, the Government describes the impact of this rule on small business under the assumption that each of the responsibilities described below will be subcontracted to a small business at least once annually.

According to subject matter experts, there are approximately 140 non-cloud FISs currently being operated or maintained by contractors on behalf of the Government. The Government estimates it awards 28 contracts ((20 percent * 140 non-cloud FISs) * 1 contract/FIS) to 28 unique contractors (28 contracts = 28 unique entities) annually for the development, implementation, operation, or maintenance of a non-cloud FIS on behalf of the Government. Of the 28 contractors to be awarded a contract each year to operate or maintain a non-cloud FIS, approximately three (28 contractors * 10 percent) are small businesses.

According to FedRAMP data and subject matter experts, there are approximately 280 unique FedRAMP-authorized and ready cloud service offerings available to the Federal Government. Based on the number of FedRAMP-authorized offerings, the Government estimates that there are approximately 56 new or revised FIS offerings (20 percent * 280 cloud service offerings) each year for which the Government contracts. Therefore, the Government estimates that 56 unique entities to be awarded a contract annually for the development, implementation, operation, or maintenance of a cloud FIS on behalf of the Government, of which approximately three (56 contractors * five percent) are small businesses.

The proposed rule requires contractors awarded a contract or subcontract to develop, implement, operate, or maintain a FIS to read and become familiar with the rule, as well as review the applicable standards documents identified in the rule. The proposed rule also requires contractors awarded a contract or subcontract to develop, implement, operate, or maintain a FIS using other than cloud computing services ( i.e., “non-cloud FIS”) to: (1) Develop and maintain a list of the physical location of all operational technology (OT) equipment included within the boundary of the non-cloud FIS; (2) When requested by the Government, submit a copy of the OT equipment list to the Government; (3) Submit a copy of their continuous monitoring strategy for the FIS; and (4) For FISs categorized as FIPS Publication 199 moderate or high security impact, submit the results of: an annual independent assessment of the security of the FIS, and an annual cyber threat hunting and vulnerability assessment.

A. Regulatory Familiarization and Standards Document Reviews

It is estimated that approximately all six small business entities, and up to seven small business subcontractor entities, awarded a contract to design, implement, operate, or maintain a FIS on behalf of the Government will need to become familiar with the various compliance requirements of the new clauses 52.239–YY or 52.239–XX, as well as review any applicable standards documents, to be prepared to develop, implement, operate, or maintain a cloud and/or non-cloud FIS, as applicable.

B. Develop and Submit OT Equipment List

It is estimated that approximately three small business entities, and up to seven small business subcontractor entities, will be awarded a contract or subcontract annually to develop, implement, operate, or maintain a non-cloud FIS. Each of these entities, will be required to develop, maintain, and submit a list of OT equipment for the duration of the contract. The list must include: (1) the identification and location of any controllers, relays, sensors, pumps, actuators, Open Platform Communications Unified Architecture devices, and other industrial control system devices, as well as all the IP Start Printed Page 68412 addresses assigned to the different hardware components, used in performance of the contract; (2) An explanation of whether the device is password protected and, if so, whether it can be changed, (3) an explanation of whether the device is accessible remotely; and (4) whether multi-factor authentication is present and enabled. The location information in the list must include enough detail to affirmatively locate the OT equipment, when necessary, and track any movement of such equipment during performance of the contract. It is estimated that one of these three small business entities, and up to seven small business subcontractor entities, will be asked to submit the OT equipment list to the Government each year.

To develop and maintain the list of OT equipment, a small business will need at least one employee within an information system occupation series ( e.g., computer system analyst, information security analyst, system administrator, network architect) to identify the requisite devices used in performance of the contract, track the location of such devices as changes occur, and update and modify the OT equipment list as necessary.

C. Submit Continuous Monitoring Strategy

All three small business entities, and up to seven small business subcontractor entities, awarded a contract annually to develop, implement, operate, or maintain a non-cloud FIS will be required to submit a copy of their continuous monitoring strategy for the FIS that demonstrates an ongoing awareness of information security, vulnerabilities, and threats in order to support risk management decisions, and applies the use of automation, wherever possible; protects vulnerability scan data, logs, and telemetry; and applies the guidance of NIST SP 800–137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.” A small business will need at least one employee within an information system occupation series ( e.g., computer system analyst, information security analyst, system administrator, network architect) to review and submit the continuous monitoring strategy.

D. Submit Annual Assessments

Of the 140 non-cloud FISs currently being operated or maintained by contractors on behalf of the Government, the Government estimates that approximately 95 percent of those systems are designated as moderate or high FIPS 199 impacts. Applying that percentage to the estimated number of contractors annually awarded a contract to develop, implement, operate, or maintain a non-cloud FIS, it is estimated that 27 contractors (95 percent * 28 contractors), of which 2 are estimated to be small business, will be subject to the annual assessment requirements.

These two small business entities, and up to seven small business subcontractor entities, will be awarded a contract with a FIS designated as moderate or high FIPS Publication 199 impact and be required to submit the results of the two annual assessments to the Government. The assessment of the security of the FIS must be an independent assessment that is not conducted by the contractor. The cyber threat hunting and vulnerability assessment may be completed by the contractor. A small business must submit the results of both assessments, including any recommended improvements or risk mitigations identified for the FIS, to the Government. A small business will need at least one employee within an information system occupation series to review and submit the annual assessments to the Government, as well as implement any recommended solutions resulting from the assessments. If an entity chooses to conduct the cyber threat hunting and vulnerability assessment on their own, the entity will need at least one subject matter expert in cyber threat hunting and vulnerability assessment, as well as experience with system assessment, analysis, and audit.

This rule proposes to standardize common cybersecurity contractual requirements across Federal agencies. To do so, E.O. 14028 required a review of agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract to form the recommendation for the standardized contract language proposed in this rule. As a result, this rule may duplicate, overlap, or conflict with existing agency-specific cybersecurity contract clauses. Section 2. Paragraph (k) of the E.O. resolves the issue of duplication, overlap, or conflict by requiring agencies, upon final publication of this rule, to update their agency-specific cybersecurity requirements to remove any requirements that are duplicative of this rule. There are no known significant alternative approaches to the proposed rule.

The Regulatory Secretariat Division has submitted a copy of the IRFA to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the IRFA may be obtained from the Regulatory Secretariat Division. DoD, GSA, and NASA invite comments from small business concerns and other interested parties on the expected impact of this rule on small entities.

DoD, GSA, and NASA will also consider comments from small entities concerning the existing regulations in subparts affected by the rule in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite “5 U.S.C. 610 (FAR Case 2021–019)”, in correspondence.

VII. Paperwork Reduction Act

The Paperwork Reduction Act (44 U.S.C. 3501–3521) applies because the proposed rule contains information collection requirements. Accordingly, the Regulatory Secretariat Division has submitted a request for approval of a new information collection requirement concerning Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems to the Office of Management and Budget.

A. Public Reporting Burden for This Collection of Information

1. Submit Annual Assessment of FIS

Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information.

The annual reporting burden estimated as follows:

Respondents/Recordkeepers: 27.

Total Annual Responses: 54.

Total Burden Hours: 54.

This estimate is based on two responses per respondent.

2. Maintain and Submit a List of Operational Technology Equipment

The public recordkeeping burden for this collection of information is estimated to annually require one recordkeeper who spends 80 hours per contract to maintain the list:

Recordkeepers: 28.

Total annual records: 28.

Total recordkeeping burden hours: 2,240.

The public reporting burden for this collection of information is estimated to average 1 hour per response to review and submit the list. The annual reporting burden is estimated as follows:

Respondents: 6.

Total Annual Responses: 6.

Total Burden Hours: 6.

This estimate is based on one response per respondent.

3. Submit Continuous Monitoring Strategy

Public reporting burden for this collection of information is estimated to average 160 hours per response to develop, document, review, and submit the strategy. The annual reporting burden is estimated as follows:

Respondents: 28.

Total Annual Responses: 28.

Total Burden Hours: 4,480.

This estimate is based on one response per respondent.

B. Request for Comments Regarding Paperwork Burden

Submit comments on this collection of information no later than December 4, 2023 through https://www.regulations.gov and follow the instructions on the site. All items submitted must cite OMB Control No. 9000–XXXX, Standardizing Cybersecurity Requirements for Start Printed Page 68413 Unclassified Federal Information Systems. Comments received generally will be posted without change to https://www.regulations.gov, including any personal and/or business confidential information provided. To confirm receipt of your comment(s), please check https://www.regulations.gov, approximately two to three days after submission to verify posting. If there are difficulties submitting comments, contact the GSA Regulatory Secretariat Division at 202–501–4755 or GSARegSec@gsa.gov.

Public comments are particularly invited on:

• The necessity of this collection of information for the proper performance of the functions of Federal Government acquisitions, including whether the information will have practical utility;
• The accuracy of the estimate of the burden of this collection of information;
• Ways to enhance the quality, utility, and clarity of the information to be collected; and
• Ways to minimize the burden of the collection of information on respondents, including the use of automated collection techniques or other forms of information technology.

Requesters may obtain a copy of the supporting statement from the General Services Administration, Regulatory Secretariat Division by calling 202–501–4755 or emailing GSARegSec@gsa.gov. Please cite OMB Control Number 9000–XXXX, Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems, in all correspondence.

List of Subjects in 48 CFR Parts 1, 2, 4, 7, 10, 11, 12, 37, 39, and 52

• Government procurement

Therefore, DoD, GSA, and NASA propose amending 48 CFR parts 1, 2, 4, 7, 10, 11, 12, 37, 39, and 52 as set forth below:

1. The authority citation for 48 CFR parts 1, 2, 4, 7, 10, 11, 12, 37, 39, and 52 continues to read as follows:

Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 4 and 10 U.S.C. chapter 137 legacy provisions (see 10 U.S.C. 3016); and 51 U.S.C. 20113.

PART 1—FEDERAL ACQUISITION REGULATIONS SYSTEM

2. In section 1.106 amend in the table following the introductory text, by adding in numerical order, entries for “52.239–XX” and “52.239–YY” and its corresponding OMB control No. “9000–XXXX” to read as follows:

PART 2—DEFINITIONS OF WORDS AND TERMS

3. Amend section 2.101, in paragraph (b)(2) by—

a. In the definition of “Component”, removing from the end of paragraph (3) the word “and”; removing from the end of paragraph (4) “52.225–23(a).” and adding “52.225–23(a); and” in its place; and adding a new paragraph (5);

b. Removing the definitions “Federally-controlled information system” and “Information and communication technology (ICT)”;

c. Adding in alphabetical order the definitions “Federal information system”, “Government data”, “Information”, “Information and communications technology (ICT)”, and “Information system”;

d. In the definition of “Information technology”, revising paragraph (3)(ii); and

e. Adding in alphabetical order the definitions “Internet of Things (IoT) devices”, “Operational technology”, “Telecommunications equipment”, and “Telecommunications services”.

The revisions and additions read as follows:

PART 4—ADMINISTRATIVE AND INFORMATION MATTERS

4. Amend section 4.1301 by removing from paragraphs (a) and (b) “Federally-controlled information” and adding “Federal information” in their places; respectively.

5. Amend section 4.1303 by removing from the text “Federally-controlled information” and adding “Federal information” in its place.

6. Amend section 4.1901 by removing the definitions of “Information” and “Information system”.

PART 7—ACQUISITION PLANNING

7. Amend section 7.103 by—

a. Removing from paragraph (q) “information and communication technology” and adding “information and communications technology” in its place; and

b. Adding paragraph (z).

The addition reads as follows.

8. Amend section 7.105 by removing from paragraph (b)(18)(iii) “Federally-controlled information” and adding “Federal information” in its place and adding paragraph (b)(18)(v) to read as follows:

PART 10—MARKET RESEARCH

9. Amend section 10.001 by removing from paragraph (a)(3)(ix) “information and communication technology” and adding “information and communications technology” in its place.

PART 11—DESCRIBING AGENCY NEEDS

10. Amend section 11.002 by removing from paragraph (f)(1)(i) “information and communication technology” and adding “information and communications technology” in its place.

PART 12—ACQUISITION OF COMMERCIAL PRODUCTS AND COMMERCIAL SERVICES

11. Amend section 12.202 by removing from paragraph (d) “information and communication technology” and adding “information and communications technology” in its place.

PART 37—SERVICE CONTRACTING

12. Amend section 37.000 by removing from the text “information technology” and adding “information and communications technology” in its place.

PART 39—ACQUISITION OF INFORMATION AND COMMUNICATIONS TECHNOLOGY

13. Revise the heading for part 39 to read as set forth above.

14. Amend section 39.000 by removing from paragraph (a) “Management of Federal Information Resources” and adding “Managing Information as a Strategic Resource” in its place; and revising paragraph (b) to read as follows:

15. Amend section 39.001 by revising the first sentence of paragraph (a) and revising paragraph (b) to read as follows:

16. Revise subpart 39.2 heading to read as follows:

Subpart 39.2—Information and Communications Technology Accessibility

17. Amend section 39.201 by removing from paragraph (a) “information and communication technology” and adding “information and communications technology” in its place.

18. Add a new subpart 39.X to read as follows:

Subpart 39.X—Federal Information Systems

PART 52—SOLICITATION PROVISIONS AND CONTRACT CLAUSES

19. Amend section 52.204–9 by—

a. Revising the date of the clause; and

b. Removing from paragraph (d) “Federally-controlled information” and adding “Federal information” in its place.

The revision reads as follows:

20. Amend section 52.212–5 by—

a. Revising the date of the clause;

b. Redesignating paragraphs (b)(63) through (64) as paragraphs (b)(65) through (66);

c. Adding new paragraphs (b)(63) and (64);

d. Redesignating paragraph (e)(1)(xxiv) as paragraph (e)(1)(xxvi);

e. Adding new paragraphs (e)(1)(xxiv) and (xxv);

f. In Alternate II by—

i. Revising the date of Alternate II;

ii. Redesignating paragraphs (e)(1)(ii)(W) as paragraph (e)(1)(ii)(Y); and adding new paragraphs (e)(1)(ii)(W) and (X);

The revisions and additions read as follows:

21. Amend section 52.213–4 by—

a. Revising the date of the clause;

b. Adding paragraphs (a)(1)(xii) and (xiii); and

c. Revising the date of paragraph (a)(2)(vii).

The additions and revisions read as follows:

22. Adding new sections 52.239–XX and 52.239–YY to read as follows:

23. Amend section 52.244–6 by—

a. Revising the date of the clause; and

b. Redesignating paragraph (c)(1)(xxi) as (c)(1)(xxiii) and adding new paragraphs (c)(1)(xxi) and (xxii).

The revisions read as follows: