IT security to be added to FAR

The General Services Administration is drafting a Federal Acquisition Regulation addition to integrate security into IT buys.

Joan Hash, director of security management assistance in the National Institute of Standards and Technology's Computer Security Division, made the announcement today during a discussion of government cybersecurity requirements at the GOVSEC security conference in Washington.

In addition to GSA's work on a new acquisition regulation, NIST is developing governmentwide categories for sensitive but unclassified information, plus a set of minimum security requirements to protect each category.

Among other things, the draft FAR addition will require contracting officers to work with agency CIOs to ensure that security requirements are built into purchases.

It will mandate compliance with federal encryption standards and also will require security plans from and security training for contractors. Contracts also would include a standard security clause and a privacy impact statement.

Hash could not say when the draft would be released.

NIST has a 12-month deadline for developing categories for sensitive information under the Federal Information Management Act, signed into law last year as part of the E-Government Act.

The scheme is intended to facilitate cross-agency use of information, Hash said. The categories will be part of a new Federal Information Processing Standard. A draft version of FIPS 199 appears on NIST's Web site, at

NIST must develop minimum security requirements for each category within three years, spelled out in NIST document 800-53.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.