NICE and Easy: Proposed Cybersecurity FAR Amendment Incorporates NICE Framework, Standardizing Cybersecurity Workforce Descriptions

On January 3, 2025, the FAR Council released a proposed rule titled Strengthening America’s Cybersecurity Workforce (the Proposed Rule).  The Proposed Rule would amend the Federal Acquisition Regulation (FAR) by standardizing workforce criteria for cybersecurity and information technology support services contracts.  The Proposed Rule implements a 2019 executive order, America’s Cybersecurity Workforce, which emphasized the strategic importance of a strong cybersecurity workforce.  Comments will be accepted until March 4, 2025, and the FAR Council specifically invites comments on the Proposed Rule’s impact on small entities.

The Proposed Rule seeks to incorporate an existing framework into the FAR, specifically the National Initiative for Cybersecurity Education Workforce Framework for Cybersecurity (NICE Framework).  The Proposed Rule will require contractors to adjust existing policies as well as reporting, offers, and quotes, to ensure they align with the NICE Framework.

NIST developed the NICE Framework in 2020 to create a common lexicon for discussing cybersecurity work and job functions across the public, private, and academic sectors.  

The Proposed Rule amends five Parts of the FAR:

• FAR 2.01: This amendment provides definitions for “Cybersecurity” and the “NICE Workforce Framework for Cybersecurity (NICE Framework).”
• FAR 7.105: Agency acquisition plans to acquire information technology support services and cybersecurity support services must describe necessary tasks, knowledge, skills, and work role requirements in line with the NICE Framework.
• FAR 11.002: Agencies must align cybersecurity tasks, knowledge, skills, and work roles with the NICE Framework in requirements documents. Contractor offers, quotes, and reporting must also align with the NICE Framework.
• FAR 12.202: Requirements documents for the acquisition of commercial products and commercial services must also incorporate the NICE Framework.
• FAR 39.104: Requirements documents for the acquisition of information technology support services and cybersecurity support services must also incorporate the NICE Framework.

The Proposed Rule will not impact contracts below the simplified acquisition threshold (SAT) or for commercial products (including Commercially Off the Shelf (COTS) Items)) or commercial services.

Accordingly, contractors who provide or seek to provide information technology support services or cybersecurity support services should consider familiarizing themselves with the NICE Framework in anticipation of the Proposed Rule’s eventual implementation.