Quiero saber acerca de...

26634

Federal Register / Vol. 86, No. 93 / Monday, May 17, 2021 / Presidential Documents b Within 60 days of the date of this order, the Director of the Office of Management and Budget OMB, in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, shall review the Federal Acquisition Regulation FAR and the Defense Federal Acquisition Regulation Supplement contract requirements and language for contracting with IT and OT
service providers and recommend updates to such requirements and language to the FAR Council and other appropriate agencies. The recommendations shall include descriptions of contractors to be covered by the proposed contract language.
c The recommended contract language and requirements described in subsection b of this section shall be designed to ensure that:
i service providers collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control, including systems operated on behalf of agencies, consistent with agencies requirements;
ii service providers share such data, information, and reporting, as they relate to cyber incidents or potential incidents relevant to any agency with which they have contracted, directly with such agency and any other agency that the Director of OMB, in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, deems appropriate, consistent with applicable privacy laws, regulations, and policies;
iii service providers collaborate with Federal cybersecurity or investigative agencies in their investigations of and responses to incidents or potential incidents on Federal Information Systems, including by implementing technical capabilities, such as monitoring networks for threats in collaboration with agencies they support, as needed; and iv service providers share cyber threat and incident information with agencies, doing so, where possible, in industry-recognized formats for incident response and remediation.
d Within 90 days of receipt of the recommendations described in subsection b of this section, the FAR Council shall review the proposed contract language and conditions and, as appropriate, shall publish for public comment proposed updates to the FAR.
e Within 120 days of the date of this order, the Secretary of Homeland Security and the Director of OMB shall take appropriate steps to ensure to the greatest extent possible that service providers share data with agencies, CISA, and the FBI as may be necessary for the Federal Government to respond to cyber threats, incidents, and risks.
f It is the policy of the Federal Government that:
i information and communications technology ICT service providers entering into contracts with agencies must promptly report to such agencies when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies;
ii ICT service providers must also directly report to CISA whenever they report under subsection fi of this section to Federal Civilian Executive Branch FCEB Agencies, and CISA must centrally collect and manage such information; and iii reports pertaining to National Security Systems, as defined in section 10h of this order, must be received and managed by the appropriate agency as to be determined under subsection giE of this section.
g To implement the policy set forth in subsection f of this section:
i Within 45 days of the date of this order, the Secretary of Homeland Security, in consultation with the Secretary of Defense acting through the Director of the National Security Agency NSA, the Attorney General,
VerDate Sep<11>2014

15:52 May 14, 2021

Jkt 253001

PO 00000

Frm 00002

Fmt 4705

Sfmt 4790

E:FRFM17MYE0.SGM

17MYE0