The Federal Acquisition Regulatory (FAR) Council released two notable proposals on October 3, 2023, which are likely to usher in significant changes to the duties of government contractors in terms of cybersecurity. The implications of these proposed changes are potentially far-reaching, and it is crucial for legal professionals dealing with government contracts to acquaint themselves with them details relevant to these modifications.
One of the critical responsibilities to be introduced, should these proposed rules be enacted, is requiring government contractors to disclose to the government any actual or forthcoming cyber incidents. This obligation emphasizes the role that government contractors would play in the prevention, detection, and immediate response to any cyber threats impacting government data and infrastructure.
Besides this, the contractors will also be expected to supply software bills of materials (SBOMs) to their government clients. The SBOMs play a key role in offering transparency regarding the components used in the software systems employed by these companies. This would further add to the ability of the government to access necessary information for evaluating potential security threats.
The third significant change would be the requirement for representations about compliance. The proposed rules introduce new potential liabilities under the False Claims Act (FCA). The FCA implications arise from contractors’ commitments about their adherence to the cybersecurity requirements. Government contractors might face elevated risks of litigation under the FCA if they make assertive statements that turn out to be inaccurate.
These proposed rules reiterate the increasing emphasis on cybersecurity at all levels of the government. Legal experts need to consider these changes carefully when advising clients on managing government contracts to ensure full compliance and avoid potential risks.