Cybersecurity programs and policy

We manage many IT security programs, and help agencies implement IT policy that enhances the safety and resiliency of the government’s systems and networks.

Featured announcements

Implementation of Federal Acquisition Supply Chain Security Act orders

The Federal Register published this interim rule effective December 4, 2023. The rule applies prospectively, and when a contracting officer modifies an existing contract to include the new clause.
This message to our industry partners [PDF - 408 KB] includes a quick guide on our implementation plan.
There are currently no outstanding FASCSA orders that need to be implemented.
Most FASCSA orders will be viewable on SAM.gov. There are currently no FASCSA orders to view on SAM.gov. To learn how to download the FASCSA orders file, watch this or read this .
implements section 1323 of the , which created the Federal Acquisition Security Council and authorized the Secretary of Homeland Security, the Secretary of Defense, and the Director of National Intelligence to issue removal orders and exclusion orders.
Have questions about FASC operations? Email fasc.pmo@omb.eop.gov.

Partial implementation of

The Federal Register published two proposed cybersecurity FAR rules.
- Cyber Threat Incident Reporting and Information Sharing: is proposed to amend the FAR to increase information sharing about cyber threats and incidents between the government and information technology and operational technology service providers.
- Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems: is proposed to amend the FAR to standardize cybersecurity contractual requirements across federal agencies for unclassified federal information systems.

Implementation of the No TikTok on Government Devices Act

, established by a on June 2, prohibits the presence or use of TikTok as well as any successor application or service developed by ByteDance Limited or an entity owned by ByteDance Limited on executive agency IT, including certain equipment used by federal contractors.
This clause is included in solicitations issued and awards made on or after June 2. Existing indefinite delivery vehicles had the clause added via modification by July 3.
All other contracts and orders will have the clause added if a modification is executed to extend the period of performance.

Policy webinars

Our Office of Policy and Compliance holds quarterly industry engagements to share information and plan for the future.

Search “policy landscape webinar” on to see all posts about our webinars.

Helpful cybersecurity links

Identity, Credential, and Access Management

Federal Identity, Credential and Access Management, or FICAM Program — Guidance to help federal agencies implement security practices that enable the right individual to access the right resource, at the right time, for the right reason.
- — Read about the FICAM program management office, access multiple playbooks, and get info specific to acquisition professionals.
USAccess Program — Shared service that provides civilian agencies with badging solutions.
— Easy and secure access to government services online.
Identity, Credential, and Access Management for our program offices.

National Institute of Standards and Technology

Domains and web hosting

— Get a .gov domain
— Access a publishing platform for modern websites

Cloud

��— E��ǰ�� FedRAMP, a standardized government approach to security authorizations for cloud service offerings
— Read about why you should use cloud.gov to host and update websites, APIs, and other applications

Relevant cybersecurity policies and requirements for federal agencies

— Public Law No: 113-283

White House Office of Management and Budget Circulars
- OMB Circular No. A-130:

If you want	Search for
OMB Memoranda	M-18-02, Fiscal Year 2017-2018 Guidance on Federal Information Security and Privacy Management M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information M-17-02, Precision Medicine Initiative Privacy and Security M-16-19, Data Center Optimization Initiative M-16-15, Federal Cybersecurity Workforce Strategy M-16-04, Cybersecurity Strategy and Implementation Plan for the Federal Civilian Government M-15-16, Multi-Agency Science and Technology Priorities for the FY 2017 Budget M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security
Presidential Executive Orders	EO 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure EO 13691, Promoting Private Sector Cybersecurity Information Sharing EO 13681, Improving the Security of Consumer Financial Transactions EO 13636, Improving Critical Infrastructure Cybersecurity EO 13556, Controlled Unclassified Information
Presidential Policy Directives	PPD 41, United States Cyber Incident Coordination PPD 21, Critical Infrastructure Security and Resilience
Homeland Security	HSPD 20, National Continuity Policy
Federal Emergency Management Agency Directives	Federal Continuity Directive 1, Federal Executive Branch National Continuity Program and Requirements

NIST standards

— Find standards, guidelines, recommendations, and research on the security and privacy of information and information systems
- — Security standards
- — Computer security
- — Cybersecurity practice guides

Related sites

Bet365