Federal Acquisition Regulation: Strengthening America's Cybersecurity Workforce
Published Date: 1/3/2025
Proposed Rule
Summary
The Department of Defense, GSA, and NASA want to update government rules to make sure contractors hiring IT and cybersecurity workers use clear skill standards. This helps build a stronger, smarter cybersecurity team to protect America better. If you’re involved in these contracts, get ready to follow new guidelines and share your thoughts by March 4, 2025.
Free Policy Watch
New rules are filed every week. Most people never see them.
Pick a topic. PRIA watches every federal rule and tells you when one hits your household.
Pick a topic to get started
Analyzed Economic Effects
5 provisions identified: 1 benefits, 4 costs, 0 mixed.
Scope: Number of Firms Affected (Estimate)
Based on FY2021–FY2023 FPDS data, the Government estimates about 2,734 unique entities (including about 1,745 unique small entities) may need to ensure contract deliverables are consistent with the NICE Framework. This estimate assumes approximately 50 percent of entities awarded IT services contracts will be awarded IT support or cybersecurity support service contracts.
Agencies Must Use NICE Framework
If an agency is buying information technology support services or cybersecurity support services, the agency must describe cybersecurity workforce tasks, knowledge, skills, and work roles that align with the NICE Workforce Framework (NIST SP 800-181) in acquisition plans and requirements documents. This alignment must be in effect at the time the solicitation is issued and is required by changes to FAR sections 7.105, 11.002, 12.202, and 39.104.
Contractors Must Align Offers and Deliverables
If you offer information technology support services or cybersecurity support services to the federal government, any offers, quotes, and contract deliverables must align with the NICE Workforce Framework (NIST SP 800-181) in effect at the time of the solicitation. The proposed rule states contractors will be expected to ensure consistency with the NICE Framework when it is specified in acquisitions.
Regulatory Familiarization: Estimated 20 Hours
The proposed rule estimates that contractors providing information technology support services and cybersecurity support services will need about 20 hours to become familiar with the NICE Framework (NIST SP 800-181) and related tools. Contractors may also need to update policies and procedures to comply when solicitations require alignment with the NICE Framework.
No New Clauses or Information Collections
The proposed rule states it does not create new solicitation provisions or contract clauses and does not add information collection requirements under the Paperwork Reduction Act. The Government also states there are no new reporting, recordkeeping, or other compliance requirements in the rule.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Take It Personal
Get Your Personalized Policy View
Start a Free Government Policy Watch to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.
Already have an account? Sign in