On April 1, 2024, the FAR Council published a new Final Rule that establishes FAR Part 40 – but without any new provisions of substance. This Final Rule becomes effective on May 1, 2024. Subsequently, the FAR Council published a Request for Information (“RFI”) on April 10, 2024. The RFI seeks feedback on the scope and organization of FAR Part 40 and is open for comment until June 10, 2024.
The Final Rule simply establishes the framework for the new FAR part and that’s it. It does not detail or implement any of the information security and supply chain security policies or procedures that will eventually appear under FAR Part 40.
FAR Part 40 will serve as a centralized location to cover the broad security requirements, policies, and procedures for managing information security and supply chain security that currently appear across multiple FAR parts. The FAR Council recognizes that such a spread makes it difficult to understand and implement the relevant requirements and seeks to remedy this issue through the new FAR part.
The RFI outlines the specific FAR subparts and regulations that are being considered to be located in – or relocated to – Part 40, including security-related requirements relating to information and communications technology (“ICT”) (such as the Section 889 security requirements). Other supply chain and information risks that are unrelated to security risks (such as climate-related risks) will continue to be covered in other FAR parts.
The FAR Council seeks input regarding specific examples of how organizations would either be negatively or positively impacted by the recommended scope and subparts; proposed revisions and how those revisions might be more effective in achieving the same objective; and comments regarding the economic effects of the proposed rule. The FAR Council is also seeking input regarding (1) any additional section(s) of the FAR that should be included in Part 40; and/or (2) any suggestions for improving the proposed scope of the regulation. Federal contractors and organizations that will be impacted by this proposed rule should consider submitting feedback during this public comment period.
Federal contractors should also expect to see a separate rulemaking that relocates the existing policies and procedures. Sheppard Mullin’s Governmental Cybersecurity and Data Protection Team will continue to monitor the development of FAR Part 40 as well as the separate rulemaking. We will provide updates as they become available.