Government , Industry Specific

Feds Tackling Information Security in Government Procurement

GSA Establishes Framework for Security Regulations Covering Federal Acquisitions
Feds Tackling Information Security in Government Procurement
The General Services Administration and other agencies created a new section in the Federal Acquisition Regulation for cybersecurity. (Image: Shutterstock)

The federal government aims to streamline its information security and supply chain security procurement policies as part of an effort to bolster cyber defenses and better safeguard federal systems.

See Also: GovExec: Pillars of Modernization

The General Services Administration, NASA and the Department of Defense - the three federal agencies responsible for maintaining the extensive set of rules governing federal acquisition - published a final rule Monday establishing an entirely new component to the Federal Acquisition Regulation. FAR part 40 will contain the vast scope of policies and procedures for managing information security and supply chain security throughout the federal procurement process, according to the notice.

For now, the new section is just a placeholder. The agencies say they will later add policies and procedures for managing information security.

The rules surrounding information security and supply chain security are currently dispersed across the FAR, "which makes it difficult for the acquisition workforce to locate, understand, and implement applicable requirements," the agencies wrote. FAR part 40 will establish a single, consolidated location where contracting officers can find and implement relevant requirements, as well as review security policies and procedures for agencies procuring goods and services.

The new part will house a broad range of security requirements across federal acquisitions, according to the final rule, including security regulations "designed to bolster national security" against cybersecurity supply chain risks and threats associated with foreign adversaries and emerging technologies. Other supply chain and information risks unrelated to security - such as those related to climate change, labor and human trafficking - will remain covered in separate parts of the FAR.

FAR part 40 will officially become established in May, while the relocation of existing security policies for supply chains and information security will be done through separate rule-making, the notice says.

The FAR amendment is required under the Biden's administration's 2021 cybersecurity executive order, which tasks agencies with improving their security posture and enhancing software supply chain integrity (see: Biden's Cybersecurity Executive Order: 4 Key Takeaways). Security requirements related exclusively to information and communications technology acquisitions will continue to be covered in FAR part 39, which includes policies and procedures for agencies acquiring information technology systems.

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.