The Department of Defense’s cybersecurity requirements for Covered Defense Information became effective on Dec. 31, 2017. See DFARS 52.204-7012. There is no corresponding FAR cybersecurity rule, leaving the civilian agencies to establish their own information assurance and breach reporting requirements. Government contractors anticipated new FAR cybersecurity regulations in 2017, and with them, a more uniform set of standards for the civilian agencies. These regulations still have not been published.
Instead, federal government contractors should expect another layer of cyber regulation in 2018. The General Services Administration’s (GSA) semi-annual regulatory agenda (83 Fed. Reg. 1940) notices coming amendments to the GSA Acquisition Regulation (GSAR) imposing cybersecurity standards on GSA contractors. These regulations will cover internal contractor systems, external systems, cloud systems, and mobile systems. According to the regulatory agenda, the rules will require GSA contracting officers to incorporate the cyber standards in GSA statements of work. These proposed rules are scheduled for an April release date.
In addition, GSA will be issuing proposed rules governing GSA contractors’ duty to report cyber incursions or potential compromises of their information systems. These regulations will establish a timeframe for reporting and documenting these incidents. The breach reporting requirements will also be incorporated into GSA contracts. The expected publication date for the proposed reporting regulations is June 2018.
Thus, it appears that government contractors will remain subject to agency-specific cybersecurity regulations, instead of a more uniform regulatory scheme, for the foreseeable future.