Voglio sapere a riguardo di…

Federal Register / Vol. 86, No. 93 / Monday, May 17, 2021 / Presidential Documents
26635

and the Director of OMB, shall recommend to the FAR Council contract language that identifies:
A the nature of cyber incidents that require reporting;
B the types of information regarding cyber incidents that require reporting to facilitate effective cyber incident response and remediation;
C appropriate and effective protections for privacy and civil liberties;
D the time periods within which contractors must report cyber incidents based on a graduated scale of severity, with reporting on the most severe cyber incidents not to exceed 3 days after initial detection;
E National Security Systems reporting requirements; and F the type of contractors and associated service providers to be covered by the proposed contract language.
ii Within 90 days of receipt of the recommendations described in subsection gi of this section, the FAR Council shall review the recommendations and publish for public comment proposed updates to the FAR.
iii Within 90 days of the date of this order, the Secretary of Defense acting through the Director of the NSA, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence shall jointly develop procedures for ensuring that cyber incident reports are promptly and appropriately shared among agencies.
h Current cybersecurity requirements for unclassified system contracts are largely implemented through agency-specific policies and regulations, including cloud-service cybersecurity requirements. Standardizing common cybersecurity contractual requirements across agencies will streamline and improve compliance for vendors and the Federal Government.
i Within 60 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Secretary of Defense acting through the Director of the NSA, the Director of OMB, and the Administrator of General Services, shall review agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract and recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements. Such recommendations shall include consideration of the scope of contractors and associated service providers to be covered by the proposed contract language.
j Within 60 days of receiving the recommended contract language developed pursuant to subsection i of this section, the FAR Council shall review the recommended contract language and publish for public comment proposed updates to the FAR.
k Following any updates to the FAR made by the FAR Council after the public comment period described in subsection j of this section, agencies shall update their agency-specific cybersecurity requirements to remove any requirements that are duplicative of such FAR updates.
l The Director of OMB shall incorporate into the annual budget process a cost analysis of all recommendations developed under this section.
Sec. 3. Modernizing Federal Government Cybersecurity. a To keep pace with todays dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Governments visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service SaaS, Infrastructure as a Service IaaS, and Platform as a Service PaaS; centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.
b Within 60 days of the date of this order, the head of each agency shall:

VerDate Sep<11>2014

15:52 May 14, 2021

Jkt 253001

PO 00000

Frm 00003

Fmt 4705

Sfmt 4790

E:FRFM17MYE0.SGM

17MYE0