New rule covers purchasing authority for cyber emergencies

The federal government is moving to expand emergency procurement authority for purchases used to respond to or recover from a cyber attack, according to a new proposed rule in the Federal Register.

By BeeBright shutterstock ID: 789734968
 

The federal government is moving to expand emergency procurement authority for purchases used to respond to or recover from a cyberattack, according to a new proposed rule in the Federal Register.

The change places cyberattacks against the United States in the same category as nuclear, biological, chemical or radiological attacks. It would allow federal procurement officials to spend up to $20,000 for domestic purchases and $30,000 for international purchases under micropurchasing rules, as well as $750,000 and $1.5 million for simplified acquisition purchases, provided the work has "a clear and direct relationship to the support of a contingency operation."

The notice -- put out by the Department of Defense, General Services Administration and NASA -- implements several provisions from the 2017 National Defense Authorization Act that increase the dollar threshold for agency purchases that are in support of federal efforts to respond to an emergency or a disaster.

The 2017 NDAA added cyberattacks to the list of circumstances that warrant invoking the authority. Military and civilian federal acquisition councils declined to provide a definition for cyberattack, citing a lack of a clear statutory definition and a desire to provide policymakers with maximum flexibility.

The government expects that the change in rules will affect less than 100 smaller federal contractors and save them a combined $1.3 million per year in reduced compliance costs.

The new rule must still be finalized before going into effect. Comments on the proposal are due by Aug. 27, 2018.