IT security requirement baked into FAR

One of the final pieces to improved agency IT security across government finally is in place: As of Sept. 30, contracting officers must include cybersecurity requirements in acquisition planning.The Federal Acquisition Regulations Council issued an interim rule late last month outlining five new steps acquisition workers must take to ensure IT security is incorporated into all purchases. The council will accept comments until Nov. 29.“The intent of adding specific guidance in the FAR is to provide clear, consistent guidance to acquisition officials and program managers,” the rule said, “and to encourage and strengthen communication with IT security officials, CIOs and other affected parties.“The Councils recognize that IT security standards will continue to evolve and that agency-specific policy and implementation will evolve differently across the spectrum of federal agencies,” the rule also said. “Agencies will customize IT security policies and implementations to meet mission need[s].”To read the rule, go to and enter 490 in the Quickfind box.