Cybersecurity programs and policy

We manage many IT security programs, and help agencies implement IT policy that enhances the safety and resiliency of the government’s systems and networks.

Featured announcements

Implementation of Federal Acquisition Supply Chain Security Act Orders

The Federal Register published this interim rule effective December 4, 2023. The rule applies prospectively, and when a contracting officer modifies an existing contract to include the new clause.
FAR case 2020-011 implements section 1323 of the SECURE Technology Act, which created the Federal Acquisition Security Council, or FASC, and authorized the Secretary of Homeland Security, the Secretary of Defense, and the Director of National Intelligence to issue removal orders and exclusion orders.
You can submit comments directly in Regulations.gov up to February 5, 2024, to potentially influence the final publication of this FAR rule.
This message [PDF - 408 KB] to our industry partners includes a quick guide on GSA’s implementation plan.
There are currently no outstanding FASCSA orders that need to be implemented.
Most FASCSA orders will be viewable on SAM.gov. There are currently no FASCSA orders to view on SAM.gov. To learn how to download the FASCSA orders file, watch this short training video or read this knowledge article.
Send your questions about the operation of the FASC to fasc.pmo@omb.eop.gov.

Partial implementation of Executive Order 14028

The Federal Register published two proposed cybersecurity FAR rules.
- Cyber Threat Incident Reporting and Information Sharing: FAR case 2021-017 is proposed to amend the FAR to increase the sharing of information about cyber threats and incident information between the government and information technology and operational technology service providers.
- Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems: FAR case 2021-019 is proposed to amend the FAR to standardize cybersecurity contractual requirements across federal agencies for unclassified federal information systems.

Implementation of the No TikTok on Government Devices Act

FAR 52.204-27, established by a FAR interim rule on June 2, prohibits the presence or use of TikTok as well as any successor application or service developed by ByteDance Limited or an entity owned by ByteDance Limited on executive agency IT, including certain equipment used by federal contractors.
This clause is included in solicitations issued, and in awards made, on or after June 2. Existing indefinite delivery vehicles had the clause added via modification by July 3.
All other contracts and orders will have the clause added if a modification is executed to extend the period of performance.

Watch related policy webinars

OPC holds quarterly industry engagements to share information and plan ahead for the future.

FY24 policy landscape webinar: December 2023
Policy landscape webinar 3: July 2023
Policy landscape webinar 2: March 2023
Policy landscape webinar 1: December 2022

Search “policy landscape webinar” on Interact to see all posts about our webinars.

Programs

Identity, Credential, and Access Management, or ICAM

Federal Identity, Credential and Access Management, or FICAM Program - Guidance to help federal agencies implement security disciplines that enable the right individual to access the right resource, at the right time, for the right reason.
USAccess Program - Shared service that provides civilian agencies with badging solutions.
Login.gov - Simple, secure access to government services online.
Identity, Credential, and Access Management for GSA program offices.

National Institute of Standards and Technology, or NIST

Domains and web hosting

DotGov Domain Registry - Learn about the dotgov domain registry.
Pages - A publishing platform for modern, 21st Century IDEA websites.

Cloud

Federal Risk and Authorization Management Program (FedRAMP) - Standardized government approach to security authorizations for cloud products and services.
Cloud.gov - Expedite your agency’s path to a secure and compliant cloud.

Cybersecurity & Infrastructure Security Agency, or CISA

Visit America’s cyber defense agency.

Governance

Cybersecurity policies and requirements for federal agencies.

Laws

Federal Information Security Modernization Act of 2014 (FISMA 2014) - Public Law No: 113-283, December 18, 2014

Policies

White House Office of Management and Budget Circulars
- OMB Circular A-130 [PDF]
OMB Memoranda
- M-18-02, Fiscal Year 2017-2018 Guidance on Federal Information Security and Privacy Management [PDF], June 15, 2017
- M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information [PDF], Jan 3, 2017
- M-17-02, Precision Medicine Initiative Privacy and Security [PDF], Oct 21, 2016
- M-16-19, Data Center Optimization Initiative (DCOI) [PDF], August 1, 2016
- M-16-15, Federal Cybersecurity Workforce Strategy [PDF], July 12, 2016
- M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government [PDF], October 30, 2015
- M-15-16, Multi-Agency Science and Technology Priorities for the FY 2017 Budget [PDF], July 9, 2015
- M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland [PDF], July 6, 2010
Presidential Executive Orders
Presidential Policy Directives
- PPD 41 - United States Cyber Incident Coordination
- PPD 21 - Critical Infrastructure Security and Resilience
Homeland Security Presidential Directives
- HSPD 20 - National Continuity Policy [PDF]
- DHS Presidential Directives
Federal Emergency Management Agency Directives
- Federal Continuity Directive 1 - Federal Executive Branch National Continuity Program and Requirements [PDF]

Standards

NIST Computer Security Resource Center - Extensive collection of standards, guidelines, recommendations, and research on the security and privacy of information and information systems.
- Federal Information Processing Standards - Security standards.
- Special Publications 800 - Computer security.
- Special Publications 1800 - Cybersecurity practice guides.

Related information: