On October 3, 2023, the Federal Acquisition Regulatory (“FAR”) Council released two draft rules which would impose new cybersecurity requirements for federal contractors. Comment periods for both proposed rules were slated to close on December 4, 2023. However, the deadline for comment submission has now been extended to February 2, 2024.

The two proposed rules, Cyber Threat and Incident Reporting and Information Sharing (FAR Case 2021-017) and Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems (“FIS”) (FAR Case 2021-019) both target new requirements for sharing of information related to cyber threats, compliance representations, provision of software bills of service (“SBOMs”), and cybersecurity requirements for FIS.

For a thorough overview of the key requirements of each of the proposed rules, along with some high-level advice on what contractors should do to prepare, take a look at the Paul Hastings Client Alert: “FAR Reaching Consequences: Proposed FAR Cybersecurity Requirements Will Add New Obligations for Contractors.”

Interested parties can submit comments in response to the proposed rules by searching for “FAR Case 2021-019” or “FAR Case 2021-017” on the eRulemaking portal at http://www.regulations.gov.

Paul Hastings’ Data Privacy and Cybersecurity practice regularly advises on compliance with cybersecurity requirements at the federal, state, and international levels. If you have any questions concerning how to better prepare for these proposed rules or other cybersecurity requirements, please do not hesitate to contact a member of our team.