The Federal Acquisition Regulatory Council is evaluating at least 12 proposed rules meant to implement cybersecurity requirements across the government procurement process driven by the cybersecurity executive order, national cyber strategy and other policies, Federal News Network reported Monday.
Jeff Koses, senior procurement executive at the General Services Administration, said the increasing number of cyber acquisition rules being proposed reflects the importance the White House and Congress are giving to cybersecurity.
Koses mentioned that two of the rules being reviewed by the FAR Council focus on secure software development and incident reporting.
“Hopefully you all have seen the recent form that the Cybersecurity and Infrastructure Security Agency issued. The basic requirement comes down to software producers are going to be required to attest that they have secure development practices. CISA have drafted and posted a common form that basically outlines what they will be looking for in that attestation. And that attestation itself is going to become the basis of the FAR case,” Koses said at an Aug. 2 summit.
“The incident reporting is really trying to put focus on the core ideas about prevent, detect, assess and remediate. They’re trying to put that focus on the role itself,” he noted.
He added that the proposed incident reporting rule is currently within the Office of Management and Budget’s office of information regulatory affairs.
Koses said there are plans to develop a new section within the Federal Acquisition Regulation containing the cybersecurity requirements.
“We are proposing to create a new part of the FAR, FAR Part 40, as the home for all of the cybersecurity requirements. We think it cannot be confused with pure IT requirements — cybersecurity is everything everywhere, and it needs its own home,” he commented.