On May 16, 2016, the Federal Acquisition Regulation (FAR) was amended to add a new subpart and contract clause for the basic safeguarding of contractor information systems. Put another way, these provide baseline or minimum cybersecurity requirements which almost all federal contractors and subcontractors will have to comply with. The rule will take effect on June 15, 2016.
Significantly, this Final Rule was finally issued nearly four (4) years after the Proposed Rule was first issued (August 2012). This unusually long period of time between Proposed Rule and Final Rule highlights the challenges Federal Government faced with respect to an area that is constantly changing as well as coming up with standards that would apply to all businesses, no matter what size.
Who Is Covered
FAR 52.204-21 "Basic Safeguarding of Covered Contractor Information Systems" applies to the following:
- An information system;
- Owned or operated by a contractor;
- That processes, store, or transmits Federal contract information.
The following are relevant definitions for purposes of this rule:
- Federal Contract Information: "means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.
- Information: "means any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.
- Information System: "means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
As you can see, the rule is broad in terms of applicability, and according to the preamble to the rule, this was done intentionally. The rule was intended to apply to virtually all Federal contractors as a way to provide the minimum baseline cybersecurity requirements that are applicable to anyone working on a Federal Contract.
What is Required
If a contractor is covered by this rule, they must then meet the following basic safeguarding requirements
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems);
- Limit information system access to the type of transactions and functions that authorized users are permitted to execute;
- Verify and control/limit connections to and use of external information systems;
- Control information posted or processed on publicly accessible information systems;
- Identify information system users, processes acting on behalf of users, or devices;
- Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems;
- Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse;
- Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals;
- Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices;
- Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems;
- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks;
- Identify, report, and correct information system flaws in a timely manner;
- Provide protection from malicious code at appropriate locations within organizational information systems;
- Update malicious code protection mechanisms when new releases are available;
- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Next Steps and Conclusion:
Contractors should also keep in mind that these requirements and the new FAR clause do not impact or relieve contractors of other specific safeguarding requirements specified by regulation or by the various agencies which the contractor may work with. For example, there are additional requirements for contractors that work with or have access to DoD unclassified controlled technical information (see DFARS 252.204-7012).
Although a cursory look at the list may give the impression that the requirements are burdensome, our understanding is that most contractors with information systems likely have most of these in place. Nonetheless, We recommend that contractors go through this list and verify that they are in compliance with each item, including (if you do not have an internal IT professional) engaging an external IT consultant to verify compliance.