Photo of Michael G. Gruden, CIPP/GPhoto of Jacob HarrisonPhoto of Alexis Ward

On January 3, 2025, the FAR Council released a proposed rule titled Strengthening America’s Cybersecurity Workforce (the Proposed Rule).  The Proposed Rule would amend the Federal Acquisition Regulation (FAR) by standardizing workforce criteria for cybersecurity and information technology support services contracts.  The Proposed Rule implements a 2019 executive order, America’s Cybersecurity Workforce, which emphasized the strategic importance of a strong cybersecurity workforce.  Comments will be accepted until March 4, 2025, and the FAR Council specifically invites comments on the Proposed Rule’s impact on small entities.

The Proposed Rule seeks to incorporate an existing framework into the FAR, specifically the National Initiative for Cybersecurity Education Workforce Framework for Cybersecurity (NICE Framework).  The Proposed Rule will require contractors to adjust existing policies as well as reporting, offers, and quotes, to ensure they align with the NICE Framework.

NIST developed the NICE Framework in 2020 to create a common lexicon for discussing cybersecurity work and job functions across the public, private, and academic sectors.  

The Proposed Rule amends five Parts of the FAR:

  • FAR 2.01: This amendment provides definitions for “Cybersecurity” and the “NICE Workforce Framework for Cybersecurity (NICE Framework).”
  • FAR 7.105: Agency acquisition plans to acquire information technology support services and cybersecurity support services must describe necessary tasks, knowledge, skills, and work role requirements in line with the NICE Framework.
  • FAR 11.002: Agencies must align cybersecurity tasks, knowledge, skills, and work roles with the NICE Framework in requirements documents. Contractor offers, quotes, and reporting must also align with the NICE Framework.
  • FAR 12.202: Requirements documents for the acquisition of commercial products and commercial services must also incorporate the NICE Framework.
  • FAR 39.104: Requirements documents for the acquisition of information technology support services and cybersecurity support services must also incorporate the NICE Framework.

The Proposed Rule will not impact contracts below the simplified acquisition threshold (SAT) or for commercial products (including Commercially Off the Shelf (COTS) Items)) or commercial services.

Accordingly, contractors who provide or seek to provide information technology support services or cybersecurity support services should consider familiarizing themselves with the NICE Framework in anticipation of the Proposed Rule’s eventual implementation.

Tags: Cybersecurity, government contracts
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Read more about Michael G. Gruden, CIPP/G
Show more Show less
Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Read more about Jacob Harrison
Show more Show less
Photo of Alexis Ward Alexis Ward

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity and Government Contracts groups, Alexis has assisted clients in matters including False Claims Act investigations; developing corporate policies, procedures and governance; and in diverse matters involving cybersecurity and data privacy compliance, risk assessment and mitigation, and incident response.

During law school, Alexis founded USC Gould’s Privacy and Cybersecurity Law Society and was on the board of OUTLaw. Alexis also worked as a teaching assistant for the graduate programs’ Information Privacy Law course. Her paper The Oldest Trick in the Facebook: Would the General Data Protection Regulation Have Stopped the Cambridge Analytica Scandal? was published by the Trinity College Law Review.

Read more about Alexis Ward
Show more Show less
Related Posts
For Better or MORSE: Another Settlement Under DOJ’s Civil Cyber-Fraud Initiative
April 10, 2025
Canadian CMMC? Canada Proposes Cyber Compliance Regime for Canadian Defense Suppliers
April 10, 2025
FedRAMP 20x: Proposed Framework Aims To Increase Automation and Efficiency
March 26, 2025