Cybersecurity programs and policy

We manage many IT security programs, and help agencies implement IT policy that enhances the safety and resiliency of the government’s systems and networks.

Featured announcements

Implementation of Federal Acquisition Supply Chain Security Act orders

The Federal Register published this interim rule effective December 4, 2023. The rule applies prospectively, and when a contracting officer modifies an existing contract to include the new clause.
This message to our industry partners [PDF - 408 KB] includes a quick guide on our implementation plan.
There are currently no outstanding FASCSA orders that need to be implemented.
Most FASCSA orders will be viewable on SAM.gov. There are currently no FASCSA orders to view on SAM.gov. To learn how to download the FASCSA orders file, watch this training video or read this knowledge article.
FAR case 2020-011 implements section 1323 of the SECURE Technology Act, which created the Federal Acquisition Security Council and authorized the Secretary of Homeland Security, the Secretary of Defense, and the Director of National Intelligence to issue removal orders and exclusion orders.
Have questions about FASC operations? Email fasc.pmo@omb.eop.gov.

Partial implementation of Executive Order 14028

The Federal Register published two proposed cybersecurity FAR rules.
- Cyber Threat Incident Reporting and Information Sharing: FAR case 2021-017 is proposed to amend the FAR to increase information sharing about cyber threats and incidents between the government and information technology and operational technology service providers.
- Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems: FAR case 2021-019 is proposed to amend the FAR to standardize cybersecurity contractual requirements across federal agencies for unclassified federal information systems.

Implementation of the No TikTok on Government Devices Act

FAR 52.204-27, established by a FAR interim rule on June 2, prohibits the presence or use of TikTok as well as any successor application or service developed by ByteDance Limited or an entity owned by ByteDance Limited on executive agency IT, including certain equipment used by federal contractors.
This clause is included in solicitations issued and awards made on or after June 2. Existing indefinite delivery vehicles had the clause added via modification by July 3.
All other contracts and orders will have the clause added if a modification is executed to extend the period of performance.

Policy webinars

Our Office of Policy and Compliance holds quarterly industry engagements to share information and plan for the future.

Search “policy landscape webinar” on Interact to see all posts about our webinars.

Helpful cybersecurity links

Identity, Credential, and Access Management

Federal Identity, Credential and Access Management, or FICAM Program — Guidance to help federal agencies implement security practices that enable the right individual to access the right resource, at the right time, for the right reason.
- IDManagement.gov — Read about the FICAM program management office, access multiple playbooks, and get info specific to acquisition professionals.
USAccess Program — Shared service that provides civilian agencies with badging solutions.
Login.gov — Easy and secure access to government services online.
Identity, Credential, and Access Management for our program offices.

National Institute of Standards and Technology

Domains and web hosting

get.gov — Get a .gov domain
Pages — Access a publishing platform for modern websites

Cloud

Federal Risk and Authorization Management Program — Explore FedRAMP, a standardized government approach to security authorizations for cloud service offerings
Cloud.gov — Read about why you should use cloud.gov to host and update websites, APIs, and other applications

Relevant cybersecurity policies and requirements for federal agencies

Federal Information Security Modernization Act of 2014 (FISMA 2014) — Public Law No: 113-283

White House Office of Management and Budget Circulars
- OMB Circular No. A-130: Managing information as a strategic resource

If you want	Search for
OMB Memoranda	M-18-02, Fiscal Year 2017-2018 Guidance on Federal Information Security and Privacy Management M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information M-17-02, Precision Medicine Initiative Privacy and Security M-16-19, Data Center Optimization Initiative M-16-15, Federal Cybersecurity Workforce Strategy M-16-04, Cybersecurity Strategy and Implementation Plan for the Federal Civilian Government M-15-16, Multi-Agency Science and Technology Priorities for the FY 2017 Budget M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security
Presidential Executive Orders	EO 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure EO 13691, Promoting Private Sector Cybersecurity Information Sharing EO 13681, Improving the Security of Consumer Financial Transactions EO 13636, Improving Critical Infrastructure Cybersecurity EO 13556, Controlled Unclassified Information
Presidential Policy Directives	PPD 41, United States Cyber Incident Coordination PPD 21, Critical Infrastructure Security and Resilience
Homeland Security Presidential Directives	HSPD 20, National Continuity Policy
Federal Emergency Management Agency Directives	Federal Continuity Directive 1, Federal Executive Branch National Continuity Program and Requirements

NIST standards

NIST Computer Security Resource Center — Find standards, guidelines, recommendations, and research on the security and privacy of information and information systems
- Federal Information Processing Standards — Security standards
- Special Publications 800 — Computer security
- Special Publications 1800 — Cybersecurity practice guides

Related sites