Full Report
The U.S. Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) are... The post DoD, GSA, NASA unite to boost cybersecurity workforce standards in FAR alignment with EO 13870 appeared first on Industrial Cyber.
Analysis Summary
# Regulation/Compliance: FAR Cybersecurity Workforce Standards Alignment
## Overview
This initiative involves the DoD, GSA, and NASA amending the Federal Acquisition Regulation (FAR) to integrate the NICE Workforce Framework for Cybersecurity (NIST SP 800-181) and related tools. The purpose is to standardize and enhance cybersecurity workforce knowledge and skill requirements outlined in contracts for information technology and cybersecurity support services, in direct alignment with Executive Order (EO) 13870 aimed at strengthening the federal cybersecurity workforce.
## Key Details
- Issuing Authority: Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA).
- Effective Date: The process is currently in the proposed rule/comment period phase. The final rule issuance date is pending.
- Jurisdiction: U.S. Federal procurement processes, specifically those involving IT and cybersecurity support services contracts managed by DoD, GSA, and NASA.
- Status: Proposed Rule (Awaiting public comment; the notice was published last week).
## Requirements
### Mandatory Requirements
1. **Incorporation of NICE Framework:** Contracts for IT and cybersecurity support services must implement the workforce knowledge and skill requirements defined by the NICE Workforce Framework for Cybersecurity (NIST SP 800-181).
2. **Implementation via FAR Amendment:** The resulting requirements will be formalized through amendments to the Federal Acquisition Regulation (FAR).
### Recommended Practices
1. **Utilization of Additional Tools:** Use of additional tools associated with the NICE Framework, as determined necessary by the issuing agencies, should be incorporated into contract language.
## Affected Organizations
- Industries: Organizations contracting with the DoD, GSA, and NASA for Information Technology (IT) support and Cybersecurity Support Services.
- Organization Size: Not explicitly defined; applies to any vendor holding relevant federal service contracts.
- Geographic Scope: United States federal procurement ecosystem and its contractors globally.
## Compliance Timeline
- **Publication Date (Approximate):** Last Week (Early January 2025).
- **Public Comment Deadline:** **March 4, 2025**. (Interested parties must submit written comments by this date for consideration in the final rule.)
- **Final Deadline:** Full compliance required upon the publication and effective date of the Final Rule amending the FAR (Date TBD).
## Implementation Guidance
### Assessment Phase
- Agencies procuring services must assess existing IT/Cybersecurity support contracts against the standards outlined in NIST SP 800-181 (NICE Framework).
### Implementation Phase
- DoD, GSA, and NASA will revise relevant FAR clauses to mandate the use of NICE Framework skill categories in Statements of Work (SOWs) and contract performance requirements.
- Contractors must map current workforce roles and skillsets to the required NICE Framework categories specified in new and renewed contracts.
### Validation Phase
- Compliance validation will occur through standard federal contract oversight mechanisms, ensuring that personnel performing IT/Cyber support meet the documented workforce standards.
## Technical Requirements
The core technical requirement revolves around workforce documentation and structuring, specifically requiring alignment with the defined **knowledge, skills, and abilities (KSAs)** specified in **NIST SP 800-181 (NICE Framework)** for all contracted cybersecurity personnel.
## Penalties & Enforcement
- Fines: Penalties would be structured according to standard FAR non-compliance clauses, potentially including withholding of contract payments or termination for default if required workforce standards are unmet.
- Other Consequences: Reputational damage, debarment from future federal contracts.
- Enforcement: Enforcement will be managed through the respective contracting officers and oversight personnel within DoD, GSA, and NASA, utilizing established FAR compliance checking procedures.
## Related Standards
- **NIST Special Publication (SP) 800-181:** The NICE Workforce Framework for Cybersecurity (NWF). This is the central standard being incorporated.
- **Executive Order (EO) 13870:** Mandates the strengthening of the federal cybersecurity workforce, which this FAR alignment is designed to implement.
- **Federal Acquisition Regulation (FAR):** The primary regulatory vehicle being amended to implement these standards contractually.
## Resources
- Official Documentation: Federal Register Notice published last week (January 2025) regarding the proposed FAR amendments.
- Guidance Documents: NIST SP 800-181 (The NICE Framework).
- Tools: NICE Framework resources and tooling provided by NIST.
## Practical Recommendations
1. **Monitor Federal Register:** Organizations should immediately monitor the Federal Register for the full text of the proposed FAR rule once the notice referenced is fully available.
2. **Engage in Commentary:** Vendors expecting to bid on or currently holding relevant federal contracts should prepare and submit written comments regarding the proposed rule amendments by the **March 4, 2025**, deadline.
3. **KSA Mapping:** Begin internal gap analysis by mapping current cybersecurity staff KSAs against the NIST NICE Framework to proactively identify future training or hiring needs.