United States of America: Closed Consultation on Cyber Threat and Incident Reporting Regulation (FAR Case No. 2021-0017)

On 2 February 2024, the Federal Acquisition Regulatory Council (FAR Council) closed its consultation regarding the proposed Cyber Threat and Incident Reporting Regulation. The proposed rule introduces two additions to the Federal Acquisition Regulation (FAR) Subpart 52.239, including a new contract clause and a new representation, both mandatory for all contracts above the micro-purchase threshold. The objective of this rule is to improve cyber threat information sharing and incident reporting by expanding the definition of "information and communications technology" and introducing new definitions for related terms. Additionally, it advocates for the implementation of Internet Protocol Version 6 (IPv6) and sets out specific requirements for reporting and responding to security incidents for products or services that include ICT. The regulation requires providers to ensure that their subcontractors comply with security incident reporting requirements.