On June 2, 2023, the FAR Council issued an Interim Rule to implement the prohibition on having or using TikTok or any successor application or service developed or provided by ByteDance Limited (covered application). Importantly, the prohibition applies not only to Government-issued devices but encompasses contractor and contractor employee-owned devices (e.g., employee devices used as part of a bring-your-own-device program) as well. The Interim Rule took immediate effect and requires new FAR clause FAR 52.204-27, Prohibition on a ByteDance Covered Application, to be included in solicitations issued on or after June 2, 2023. In addition, solicitations issued before the effective date were required to be amended by July 3, 2023, provided that award of the resulting contract(s) occurs on or after the effective date. Existing indefinite-delivery, indefinite-quantity contracts were required to be modified to include the new clause by July 3, 2023, to apply to future orders. Finally, if exercising an option or modifying an existing contract to extend the period of performance, contracting officers must include the clause. In short, this clause will soon be in most if not all Federal government contracts. Contractors should take action now to ensure that they are prepared to comply with these requirements and that employees are familiar with and trained regarding the prohibition.Continue Reading TikTok Dances Off of Contractor IT Devices—Interim Rule Prohibits ByteDance Limited Applications
For just shy of a decade, the Defense Industrial Base (DIB) has had to operate under rules dictating the safeguarding of Controlled Unclassified Information, along with a strict 72-hour notification requirement if/when/should a “cyber incident” occur. For the uninitiated, these are the requirements found in the Department of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. And for a large swath of government contractors, these requirements have been more bane than benefit, as many have struggled to meet the DFARS’ stringent requirements.
Well, critical infrastructure industry, welcome to the party! Soon, companies involved in all sectors of critical infrastructure will need to comply with new federal reporting requirements for cybersecurity incidents and ransom payments after President Joe Biden signed The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act) into law on March 15, 2022. Tied to an omnibus appropriations package, the Act requires entities involved in critical infrastructure to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and any paid ransom demands within 24 hours. While these new reporting obligations will not become effective until CISA promulgates rules to further define requirements, as the DIB’s effort has demonstrated, it would be wise to examine best practices in incident response plans to begin sooner rather than later.Continue Reading Critical Infrastructure Industry Drafted: Welcome to the Cyber War