DoD’s cybersecurity requirements for Covered Defense Information became effective at year-end, but despite contractor expectations, there is still no corresponding Federal Acquisition Regulation cybersecurity rule, leaving civilian agencies to establish their own information assurance and breach reporting requirements. Instead, contractors should expect another layer of cyber regulation in 2018.
Coming amendments to the GSA Acquisition Regulation (GSAR) will cover internal contractor systems, external systems, cloud systems, and mobile systems. According to the GSA’s regulatory agenda, the rules will require GSA contracting officers to incorporate the cyber standards into GSA statements of work. These proposed rules are scheduled for an April release date.
In addition, GSA will be issuing proposed rules governing GSA contractors’ duty to report cyber incursions or potential compromises of their information systems, establishing a timeframe for reporting and documenting them. These requirements will also be incorporated into GSA contracts. The expected publication date for these regulations is June.
Thus, it appears that government contractors will remain subject to agency-specific cybersecurity regulations, instead of a more uniform regulatory scheme, for the foreseeable future.
