FAR updates that would mandate cyber incident reporting for contractors a year or more away

OMB has submitted two proposals for updating contract language to the FAR Council.
(Getty Images)

Updates to the Federal Acquisition Regulation that will standardize requirements for federal contractors to disclose cyber incidents will be implemented within the next year or two, according to federal Chief Information Security Officer Chris DeRusha.

“It seems like a pretty logical thing to do,” DeRusha said Friday, commenting on the requirements, “But, frankly, it’s not something we’d done to date.”

Already the Office of Management and Budget submitted two proposals to the Federal Acquisition Regulation (FAR) Council to eliminate specific contract clauses harming information sharing while including others identified as best practices through a data call.

The Cybersecurity Executive Order issued in May 2021 directed OMB and partner agencies to recommend updates to the FAR Council, and both proposals will be posted for public comment shortly.


The federal cybersecurity leader was speaking at the ACT-IAC Cybersecurity Forum.

Procurement is where most cybersecurity slowdown occurs, and streamlining contract clauses will reduce the time from requests for proposals to production, DeRusha added.

Agencies shouldn’t wait for new FAR requirements to be published to begin standardizing security requirements, said Steven Hernandez, CISO for the Department of Education. The department already has a FAR deviation it uses to include supply chain actions, secure software requirements, and Federal Risk and Authorization Management Program adherence in contracts.

Already software startups are adhering to the deviation and beating out incumbents for new Education contracts.

“We had some folks step up, that we had never done business with before, and say, ‘We can do all this, and we would be happy as can be to partner with the Department of Education in growing security,’ not just on security specific actions but also in our mission space,” Hernandez said.


The Department of Justice launched a Cyber-Civil Fraud Initiative in October to prosecute contractors that fail to report cyber incidents to the agencies they’re working with.

Given tensions over the Russian invasion of Ukraine, the federal cyber community is “seriously concerned” with a potential cyberattack — direct or something like NotPetya that spreads uncontrollably to affect critical infrastructure, DeRusha said.

For that reason OMB and the Office of the National Cyber Director, where DeRusha is deputy, are emphasizing agencies rearchitecting systems and establishing security controls like encryption to reduce threats to a manageable level.

“I don’t think we want a Shields Up mentality in perpetuity,” DeRusha said. “It’s something that is going to be really hard to sustain.”

That’s one reason the White House’s immediate cyber agenda has been so aggressive.


OMB’s draft memo on implementing the Secure Software Development Framework is forthcoming and represents the government using its buying power to drive industry toward safer practices.

Other near-term White House priorities include establishing centralized endpoint detection and response and developing secure multifactor authentication.

The Cyber Safety Review Board is a new coming together of senior government officials and industry representatives with a goal of publicly reporting cyber incidents post-review.

Lastly the White House is working with the inspectors general community to identify a subset of security performance metrics that should be reviewed annually.

“We’re now really dialing in a bit more on the things that are hopefully showing actual risk reduction in our environments and recent attack surfaces,” DeRusha said.

Latest Podcasts