![]() The rule would limit the use and disclosure of government and government-related data by the contractor without authorization. Use and Disclosure of Government and Government-Related Data Restricted.The draft clause would also require contractors to apply National Institute of Standards and Technology guidance when managing certain activities related to the FIS, including by providing the government with a copy of the contractor’s written monitoring strategy demonstrating the contractor’s awareness of information security risks. Contractors would then be required to maintain a system security plan, with enhanced controls required for FIS designated by an agency as “high value assets” (per Office of Management and Budget memorandum M-19-03). The proposed rule would require agencies to articulate security and privacy controls required to support contract performance. ![]() If an agency classified a contractor’s FIS as moderate or high, contractors would be required to conduct annual vulnerability assessments and perform independent assessments on the security of the FIS, submitting findings to the contracting officer. Agencies would be tasked with classifying FIS. The proposed rule would require contractors to provide the government and government-authorized representatives with timely and full access to data for purposes of audit and investigation. Records Management and Government Access.” The waiver-in its current form-creates strict liability for the contractor. The proposed rule would require contractors to indemnify the government from “any liability that arises out of the performance of the contract and is incurred because of the contractor’s introduction of certain information or matter into Government data or the contractor’s unauthorized disclosure of certain information or material.” Even more significant is the proposed waiver provision, in which the contractor would “agree to waive any and all defenses that may be asserted for its benefit. The proposed rule addresses a number of key issues: How Will the Proposed Rule Change the Status Quo? Contractors would need to comply with both proposed clauses if they use both non-cloud and cloud-based computing services in support of contract performance. The FAR 52.239-XX requirements would largely mirror those in FAR 52.239-YY, albeit for contractors using cloud-based computing services during performance. There would be no exception for acquisitions below the simplified acquisition threshold or acquisitions for commercial products, including commercially available off-the-shelf (“COTS”) items and commercial services, “because Government data and systems require protection regardless of dollar value.” The proposed clause would require flowdown to subcontractors at all tiers (provided those subcontractors may use non-cloud computing services). What is an FIS? The proposed rule defines FIS as “an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization, on behalf of a government agency.”įAR 52.239-YY would be required in contracts acquiring FIS services that include (or are anticipated to use) non-cloud computing services during contract performance. As drafted, the rule would affect contracts that involve the development and maintenance of federal information systems (“FIS”). Under the proposed rule, the FAR Council would promulgate two new FAR clauses, FAR 52.239-YY (Federal Information Systems Using Non-Cloud Computing Systems) and FAR 52.239-XX (Federal Information Systems Using Cloud Computing Services). Who Will the Standardization of Cybersecurity Contractual Requirements Affect? 2021-019, which seeks to standardize cybersecurity contractual requirements across federal agencies. 2021-017, which would impose a range of new cyber incident reporting requirements on nearly all government contractors, earlier this week. On October 3, 2023, the FAR Council proposed two potentially significant cybersecurity rules.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |