Key Details: In April 2024, the Department of Defense (DoD), General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) issued a final rule that amended the Federal Acquisition Regulation (FAR) and added the framework for a new FAR Part 40. The final rule does not implement any of the policies or procedures contained within the new FAR part but creates the framework for information and supply chain security. This final rule was effective May 1, 2024.
The federal government has been increasing their focus on national security and information protection. Government contractors are encouraged to stay up to date on the DoD’s Cybersecurity Maturity Model Certification (CMMC) 2.0 program implementation and forthcoming requirements. As noted in our prior release here, the DoD published a highly anticipated final rule for the CMMC program that established a framework to protect sensitive information.
Ryan & Wetmore is poised to take your government contracting business to the next level. Contact us today to discuss how our customized solutions can help you grow.
Background
Currently, applicable information and supply chain security policies and procedures are housed across multiple FAR parts, making navigating, understanding, and implementing various requirements difficult. The new FAR Part 40 will house the policies and procedures for managing information security and supply chain security to acquire products or services in a single location. Separate rulemaking will be established to relocate existing policies and procedures. As such, this new FAR Part 40 aims to be a central location for cybersecurity and supply chain requirements. This will enable contractors to easily review policies and procedures related to information and supply chain security.
What Does Far Part 40 Cover?
The new FAR part will cover broad security requirements, including those designed to strengthen national security through managing adversary-based supply chains in cybersecurity, emerging technology risks, and foreign-based risks. FAR Part 40 also covers security-related requirements such as information and communications technology (ITC). Contractors should note that supply chain or information risks that do not relate to security will remain in other parts of the FAR.
Stay Mindful of CMMC 2.0
As noted earlier, the federal government is placing greater emphasis on the importance of protecting information. Government contractors should establish comprehensive cybersecurity protocols to remain in compliance. Of particular importance is the CMMC 2.0 program that began its journey in 2020 through an interim rule that implemented the initial vision for the CMMC program (CMMC 1.0). In March 2021, the DoD conducted an internal review of the CMMC program and refined the policy and program implementation. In November 2021, CMMC 2.0 was announced and updated program requirements to contain only 3 maturity levels. CMMC 2.0 applies to DoD prime and covered subcontractors that provide commercial products and services that store, process, or transmit FCI or CUI on non-federal systems. Contractors are encouraged to perform a self-assessment of their cybersecurity infrastructure and to read our article here for more information on the CMMC program.
General Security Requirements
Contractors of all sizes should establish and implement general security policies and procedures to protect their information. Items to consider include, but are not limited to the following:
- IT and security training for all employees relating to phishing, email fraud, credential management, password policies, identify management, access control, and asset management.
- Establish endpoint security measures for devices such as laptops, computers, and phones and use managed anti-virus or threat protection services.
- Review your email management policies such as authentication methods for recipients to verify message authenticity.
- Ensure adequate web browser management to limit access to extensions and other 3rd party modification tools. Also ensure website management procedures are implemented to prevent customers from uploading sensitive information.
- Review your data management procedures and inventory all software application data and storage locations.
- Assess your cloud service management policies and review the functionality of restoring deleted data from the cloud, data export policies, and if accounts are protected by multifactor authentication.
- Use Business Online Banking to review accounts frequently and require dual authorization procedures for all monetary transactions.
- Implement a cybersecurity risk management program that provides oversight, accountability, and establishes reporting lines in case of cybersecurity incidents.
Conclusion and Action Plan
Separate rulemaking will be executed to consolidate applicable policies and procedures under FAR Part 40. In the meantime, contractors are encouraged to perform the following activities to stay ahead:
- Familiarize yourself with information and supply chain security requirements.
- Perform an internal assessment of your company’s security infrastructure.
- Adjust policies and procedures as required to remain compliant.
- Review your current contract clauses to determine if additional security requirements are applicable.
- Perform information and supply chain security training to ensure employees understand their roles.
- Review CMMC 2.0 program levels and requirements and compare against your current cybersecurity infrastructure.
For further information and expertise, contact Ryan & Wetmore today.
Today’s Thought Leaders
About Peter Ryan
Partner, Co-founder, & CPA
Peter T. Ryan co-founded Ryan & Wetmore in 1988 with business partner Michael J. Wetmore. Peter provides clients with the best strategies for success. His expertise extends across various industries. Peter obtained a Master of Business Administration in Finance from the University of Baltimore and a Bachelor of Arts in Accounting from the Catholic University of America.
About Rosie Cheng
Finance Consultant
Rosie Cheng is a Finance Consultant at Ryan & Wetmore. She focuses on government contracting services and produces many of the firm’s government contracting newsletters. Rosie graduated from Georgetown University with a Master of Science in Management and from William and Mary with a Bachelor of Business Administration.
