America's cybersecurity is highly dependent on a diverse workforce of cybersecurity professionals who work in the public, private, and academic sectors. On January 3, 2025, the Federal Acquisition Regulation (FAR) Council issued a proposed rule to standardize training, knowledge, and skill requirements for a critical portion of that workforce. Drawing from the National Initiative for Cybersecurity Education (NICE) Framework (NIST Special Publication (SP) 800-181), the rule proposes to update the FAR to include new workforce knowledge and skill requirements that would apply to contractor personnel who support commercial and non-commercial contracts for information technology (IT) support services or cybersecurity support services. 

Proposed Rule Background

The proposed rule stems from Executive Order (E.O.) 13870, America's Cybersecurity Workforce, which was issued in 2019 during President Trump's first term as part of that administration's broader National Cyber Strategy. The E.O. emphasized the importance of a "superior cybersecurity workforce," comprised of public and private sector personnel, to U.S. economic and national security. Relevant to the proposed rule, the E.O. directed federal agencies to incorporate the NICE Framework into their IT and cybersecurity support services acquisitions by utilizing the Framework's lexicon and taxonomy in workforce knowledge and skills requirements descriptions and by including requirements that will allow agencies to more effectively and consistently evaluate whether proposed personnel have the necessary qualifications to successfully perform under the contracts. 

The NICE Framework defines and categorizes cybersecurity "Competency Areas" and "Work Roles," including the "Knowledge" and "Skills" needed to complete "Tasks" in those roles. The framework includes:

• 2,200+ Task, Knowledge, Skill (TKS) Statements 
  • Task Statements are used to describe the work and have associated Knowledge and Skills Statements
  • Knowledge and Skills Statements are used to describe personnel qualifications required to accomplish Tasks  
• 11 Competency Areas: Clusters of related Knowledge and Skill Statements that correlate with one's capability to perform Tasks in a particular domain.
• 52 Work Roles: Ways of describing a grouping of work for which someone is responsible or accountable.

Proposed Amendments to the FAR

The rule proposes to amend the following parts of the FAR:

• FAR 2.101
  • Defines "cybersecurity" as "prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation." 
  • Defines "NICE Workforce Framework for Cybersecurity (NICE Framework)" as "a common language for describing cybersecurity work which expresses the work as task statements and includes knowledge and skill statements that provide a foundation for learners including students, job seekers, and employees."
• FAR 7.105 
  • Requires IT or cybersecurity support services acquisition plans to describe cybersecurity workforce tasks, knowledge, skills, and work roles consistently with the NICE Framework.
• FAR 11.002
  • Requires agency requirements document descriptions of cybersecurity workforce tasks, knowledge, skills, and work roles to be consistent with the NICE Framework.
  • Directs agencies to require offers, quotes, and reporting requirements (e.g., contractor deliverables) that align with the NICE Framework.
• FAR 12.202 
  • Requires compliance with FAR 11.002 (incorporation of NICE Framework into requirements documents) for the acquisition of commercial products and services.
• FAR 39.104 
  • Requires compliance with FAR 11.002 (incorporation of NICE Framework into requirements documents) for the acquisition of information technology support services and cybersecurity support services.

Key Takeaways for Contractors

At present, the proposed rule does not include solicitation provisions or contract clauses that would create new compliance obligations for contractors providing IT or cybersecurity support services to the federal government. Still, because FAR 11.002 would require agencies to evaluate proposals and deliverables for compliance with the NICE Framework, contractors must be prepared to show that their proposed cybersecurity personnel are trained to NICE standards. For some contractors, that may necessitate changes in hiring practices, job descriptions, internal policies and procedures, and training programs to ensure those align with the NICE Framework's requirements. 

Comments on the proposed rule are due March 4, 2025. If you have any questions about the proposed rule or the potential impact to your business, please contact one of the Miller & Chevalier attorneys listed below.

Ashley Powers, apowers@milchev.com, 202-626-5564

Connor W. Farrell, cfarrell@milchev.com, 202-626-5925
 

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.