The Department of Defense, NASA and the General Services Administration have issued a final rule to create a new part of the Federal Acquisition Regulation, or FAR, that will house requirements related to information security and supply chain security.
In a Federal Register notice published Monday, the agencies said the final rule will take effect on May 1 to create the FAR part 40 that will serve as a single, consolidated location for addressing cybersecurity supply chain risk management requirements that apply to new acquisitions.
The agencies noted that the new rule does not implement policies and procedures for managing information security and supply chain security and instead “simply establishes the new FAR part.”
A separate rulemaking will be issued to relocate existing policies or procedures, according to the notice.
With the new FAR part, contracting officers will have a designated location for reviewing and implementing applicable requirements to manage information security and supply chain security when acquiring products and services.