The deadline for the final draft by the Federal Acquisition Regulations (FAR) Council on a ruling to consolidate cybersecurity supply chain risk management requirements is approaching soon. The final ruling is expected to further permeate cybersecurity regulations across Federal procurement circles.
The FAR Part 40 ruling will provide contracting officers with a single consolidated location in the FAR Council for cybersecurity supply chain risk management requirements. The proposed change to create the new section to the FAR is expected soon.
The Director for the Defense Acquisition Regulations Council first tasked staff to draft the final FAR Part 40 rule in September 2022, with an expected due date of Oct. 12, 2022. The due date subsequently was extended to Aug. 9, 2023.
As the Federal government awaits a final draft of the FAR Part 40 rule, the Office of Management and Budget released interim guidance requiring agencies to procure software designed and managed following common cybersecurity practices.
In addition to the FAR Part 40 rule, the council is reviewing a dozen other proposed rules around cybersecurity.
These include the final rule to implement the ability of the Federal Acquisition Supply Chain Council to exclude companies or products that pose a risk to Federal agencies, standardizing cybersecurity requirements for unclassified information systems, and a prohibition on contracting with entities using certain telecommunications and video surveillance services or equipment.