IT security requirements now part of the FAR

One of the final pieces to improving agency IT security across the government finally is in place: Starting today, contracting officers must include cybersecurity requirements in acquisition planning.

The Federal Acquisition Regulations Council issued an interim rule today outlining five new steps acquisition workers must take to ensure IT security is incorporated into all purchases. As an interim rule taking effect now, the FAR Council will accept comments until Nov. 29.

This rule has been in the works for some time. The E-Government Act of 2002, which included the Federal Information Security Management Act of 2002, called for increased security in all phases of the system's lifecycle. And the FAR Council has been writing this rule since 2003.

'The intent of adding specific guidance in the FAR is to provide clear, consistent guidance to acquisition officials and program managers,' the rule said, 'and to encourage and strengthen communication with IT security officials, CIOs and other affected parties.'

The rule:

  • Requires acquisition professionals to seek the advice of IT security specialists

  • Defines information security

  • Incorporates security requirements in acquisition planning and when describing agency needs

  • Requires contracting officers to adhere to Federal Information Processing Standards

  • Requires contracting officers to include appropriate agency security policy and requirements in IT acquisitions.

'The Councils recognize that IT security standards will continue to evolve and that agency-specific policy and implementation will evolve differently across the spectrum of federal agencies,' the rule said. 'Agencies will customize IT security policies and implementations to meet mission need[s].'


  • automated processes (Nikolay Klimenko/

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected