Federal Acquisition Regulation: Strengthening America's Cybersecurity Workforce

DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION <CFR>48 CFR Parts 2, 7, 11, 12, and 39</CFR> <DEPDOC>[FAR Case 2019-014, Docket No. FAR-2019-0014, Sequence No. 1]</DEPDOC> <RIN>RIN 9000-AN97</RIN> <SUBJECT>Federal Acquisition Regulation: Strengthening America's Cybersecurity Workforce</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). <HD SOURCE="HED">ACTION:</HD> Proposed rule. <SUM> <HD SOURCE="HED">SUMMARY:</HD> DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to incorporate a framework for describing cybersecurity workforce knowledge and skill requirements used in contracts for information technology support services and cybersecurity support services in line with an Executive Order to enhance the cybersecurity workforce. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> Interested parties should submit written comments to the Regulatory Secretariat Division at the address shown below on or before March 4, 2025 to be considered in the formation of the final rule. </EFFDATE> <HD SOURCE="HED">ADDRESSES:</HD> Submit comments in response to FAR Case 2019-014 to the Federal eRulemaking portal at <E T="03">https://www.regulations.gov</E> by searching for “FAR Case 2019-014”. Select the link “Comment Now” that corresponds with “FAR Case 2019-014”. Follow the instructions provided on the “Comment Now” screen. Please include your name, company name (if any), and “FAR Case 2019-014” on your attached document. If your comment cannot be submitted using <E T="03">https://www.regulations.gov,</E> call or email the points of contact in the <E T="02">FOR FURTHER INFORMATION CONTACT</E> section of this document for alternate instructions. <E T="03">Instructions:</E> Please submit comments only and cite “FAR Case 2019-014” in all correspondence related to this case. Comments received generally will be posted without change to <E T="03">https://www.regulations.gov,</E> including any personal and/or business confidential information provided. Public comments may be submitted as an individual, as an organization, or anonymously (see frequently asked questions at <E T="03">https://www.regulations.gov/faq).</E> To confirm receipt of your comment(s), please check <E T="03">https://www.regulations.gov,</E> approximately two to three days after submission to verify posting. <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> For clarification of content, contact Ms. Malissa Jones, Procurement Analyst, at 571-882-4687 or by email at <E T="03">malissa.jones@gsa.gov.</E> For information pertaining to status, publication schedules, or alternate instructions for submitting comments if <E T="03">https://www.regulations.gov</E> cannot be used, contact the Regulatory Secretariat at 202-501-4755 or <E T="03">GSARegSec@gsa.gov.</E> Please cite “FAR Case 2019-014.” </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">I. Background</HD> DoD, GSA, and NASA are proposing to revise the FAR to incorporate the NICE Workforce Framework for Cybersecurity (NICE Framework), National Institute of Standards and Technology (NIST) Special Publication 800-181 and additional tools to implement it at <E T="03">https://www.nist.gov/nice/framework,</E> for describing workforce knowledge and skill requirements used in contracts for information technology support services and cybersecurity support services in line with Executive Order (E.O.) 13870, America's Cybersecurity Workforce. E.O. 13870 requires agencies to incorporate the NICE Framework, NIST Special Publication 800-181 into workforce knowledge and skill requirements used in contracts for information technology and cybersecurity services. DoD, GSA, and NASA are proposing to revise the FAR to ensure that when acquiring information technology support services or cybersecurity support services, agencies describe the cybersecurity workforce tasks, knowledge, skills, and work roles to align with the NICE Framework. The NICE Framework is a nationally focused resource that categorizes and describes cybersecurity work. The NICE Framework establishes a common language that defines and categorizes cybersecurity competency areas and work roles, including the knowledge and skills needed to complete tasks in those roles. It is a fundamental resource in the development and support of a prepared and effective cybersecurity workforce that enables consistent organizational and sector communication for cybersecurity education, training, and workforce development. The NICE Framework is intended to be applied in the public, private, and academic sectors to grow the cybersecurity capability of the U.S. Government, increase integration of the Federal cybersecurity workforce, and strengthen the skills of Federal information technology and cybersecurity practitioners. <HD SOURCE="HD1">II. Discussion and Analysis</HD> DoD, GSA, and NASA are proposing to amend the FAR to define terms that are referenced. As such, this rule proposes to amend FAR 2.101 by adding a definition for “cybersecurity” and a definition for the “NICE Workforce Framework for Cybersecurity (NICE Framework)”. Previously known as the “National Initiative for Cybersecurity Education,” NICE is now known only by its acronym. For the acquisition of information technology support services ( <E T="03">e.g.,</E> backup and recovery services and technical support) or cybersecurity support services ( <E T="03">e.g.,</E> threat analysis, vulnerability analysis, and digital forensics), the proposed rule implements the following requirements to ensure agencies include the cybersecurity workforce tasks, knowledge, skills, and work roles to align with the NICE Framework in contracts: • FAR 7.105 is amended to require that agency acquisition plans for the acquisition of information technology support services or cybersecurity support services describe any cybersecurity workforce tasks, knowledge, skills, and work roles to align with the NICE Framework. • FAR 11.002 is amended to require that cybersecurity workforce tasks, knowledge, skills, and work roles described in agency requirements documents align with the NICE Framework. Agencies shall also require offers, quotes, and reporting requirements ( <E T="03">e.g.,</E> contractor deliverables) to align with the NICE Framework. • FAR 12.202 is amended to require, for the acquisition of commercial products and commercial services, compliance with the direction at FAR 11.002 for incorporating the NICE Framework in requirements documents. • FAR 39.104 is amended to reference, for information technology support services and cybersecurity support services, the direction at FAR 11.002 for incorporating the NICE Framework in requirements documents. <HD SOURCE="HD1">III. Applicability to Contracts at or Below the Simplified Acquisition Threshold (SAT) and for Commercial Products (Including Commercially Available Off-the-Shelf (COTS) Items) or for Commercial Services</HD> This rule does not create new solicitation provisions or contract clauses or impact any existing provisions or clauses. <HD SOURCE="HD1">IV. Expected Impact of the Rule</HD> <HD SOURCE="HD2">A. Requirement</HD> This proposed rule implements requirements for agencies procuring information technology support services and cybersecurity support services to provide— (1) The cybersecurity workforce tasks, knowledge, skills, and work roles to align with the NICE Framework in their acquisition plans as a security consideration; (2) A description, in the requirements documents, of the cybersecurity workforce tasks, knowledge, skills, and work roles to align with the NICE Framework; and, (3) Requirements for offers, quotes, and reporting requirements ( <E T="03">e.g.,</E> contract deliverables) to align with the NICE Framework. <HD SOURCE="HD2">B. Impact</HD> <E T="03">Government.</E> This rule will require agencies to become familiar with the NICE Framework provided in NIST Special Publication 800-181 and additional tools to implement it at <E T="03">https://www.nist.gov/nice/framework</E> in order to describe the cybersecurity workforce tasks, knowledge, skills, and work roles when procuring information technology support services and cybersecurity support services. Agencies are expected to verify that offers, quotes, and reporting requirements ( <E T="03">e.g.,</E> contract deliverables) align with the NICE Framework. It is expected that this will take place as a part of the Government's existing acquisition process. <E T="03">Public.</E> This rule does not add any new information collection or additional requirements for contractors. This rule requires contractors to ensure contract deliverables are consistent with the NICE Framework when specified for the acquisition of information technology support services and cybersecurity support services. <E T="03">Regulatory familiarization.</E> It is expected that contractors providing information technology support services and cybersecurity support services will be required to become familiar with the NICE Framework (NIST Special Publication 800-181 and additional tools to implement it at <E T="03">https://www.nist.gov/nice/framework</E> ) which is estimated to take 20 hours. Contractors may be required to update their policies and procedures to comply with the NICE Framework requirements for acquisitions of information technology support services and cybersecurity support services. The cost to the public associated with this rule is not expected to be significant because it is limited to the cost of regulatory familiarization and the application of its requirements to offers and quotes for information technology support ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 23k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━