Holomua Consulting Group, LLC
info@holomuaconsulting.com
(808) 369-1471
  • Home
  • About
  • Services
    • SBA 8(a) Program Services
    • DBE Program
  • News
  • Contact
    • Initial Consultations
  • Our Blog
  • Pilot Course
  • Student Portal

​The Small Business Blog

TIPS * UPDATES * INDUSTRY NEWS

Almost All Federal Contractors and Subcontractors Must Now Meet Minimum Cybersecurity Requirements

6/11/2016

0 Comments

 
Picture
On May 16, 2016, the Federal Acquisition Regulation (FAR) was amended to add a new subpart and contract clause for the basic safeguarding of contractor information systems.  Put another way, these provide baseline or minimum cybersecurity requirements which almost all federal contractors and subcontractors will have to comply with.  The rule will take effect on June 15, 2016.
Background

Significantly, this Final Rule was finally issued nearly four (4) years after the Proposed Rule was first issued (August 2012).  This unusually long period of time between Proposed Rule and Final Rule highlights the challenges Federal Government faced with respect to an area that is constantly changing as well as  coming up with standards that would apply to all businesses, no matter what size.

Who Is Covered

FAR 52.204-21 "Basic Safeguarding of Covered Contractor Information Systems" applies to the following:
  1. An information system;
  2. Owned or operated by a contractor;
  3. That processes, store, or transmits Federal contract information.

The following are relevant definitions for purposes of this rule:
  • Federal Contract Information:  "means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.
  • Information:  "means any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.
  • Information System:  "means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

As you can see, the rule is broad in terms of applicability, and according to the preamble to the rule, this was done intentionally.  The rule was intended to apply to virtually all Federal contractors as a way to provide the minimum baseline cybersecurity requirements that are applicable to anyone working on a Federal Contract.  

What is Required 

If a contractor is covered by this rule, they must then meet the following basic safeguarding requirements
  1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems);
  2. Limit information system access to the type of transactions and functions that authorized users are permitted to execute;
  3. Verify and control/limit connections to and use of external information systems;
  4. Control information posted or processed on publicly accessible information systems;
  5.  Identify information system users, processes acting on behalf of users, or devices;
  6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems;
  7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse;
  8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals;
  9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices;
  10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems;
  11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks;
  12. Identify, report, and correct information system flaws in a timely manner;
  13. Provide protection from malicious code at appropriate locations within organizational information systems;
  14. Update malicious code protection mechanisms when new releases are available;
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Next Steps and Conclusion:

Contractors should also keep in mind that these requirements and the new FAR clause do not impact or relieve contractors of other specific safeguarding requirements specified by regulation or by the various agencies which the contractor may work with.  For example, there are additional requirements for contractors that work with or have access to DoD unclassified controlled technical information (see DFARS 252.204-7012).

Although a cursory look at the list may give the impression that the requirements are burdensome, our understanding is that most contractors with information systems likely have most of these in place. Nonetheless,  We recommend that contractors go through this list and verify that they are in compliance with each item, including (if you do not have an internal IT professional) engaging an external IT consultant to verify compliance.
0 Comments



Leave a Reply.


    Enter your email address:

    Delivered by FeedBurner

    Archives

    May 2020
    April 2018
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    March 2017
    February 2017
    December 2016
    November 2016
    October 2016
    August 2016
    June 2016
    March 2016
    February 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    March 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014


    Categories

    All
    8(a) BD Program
    Affiliation
    Affirmative Action
    Business Development
    Compensation
    Conferences
    Contractor Compliance
    DBE
    DFARS
    Employment
    Events
    FAR
    Federal Contracting
    FLSA
    GAO Protest
    General Business Tips
    GovCon Tips
    Government Contractor Compliance
    HR Compliance
    HUBZone
    Joint Ventures
    Marketing
    Market Research
    Native Hawaiian Issues
    NHO
    OFCCP
    Ostensible Subcontractor Rule
    SBA OHA Decisions
    SBA Regulations
    SBIR
    SDVOSB
    Size Protests
    Small Biz Tools
    Small Business Compliance
    Small Business Programs
    Subcontracting
    WOSB

CONTACT US

  • (808) 369-1471
  • info@holomuaconsulting.com
  • P.O. Box 29735, Honolulu 96820

    Newsletter, alerts & updates, promotions

Subscribe
Back to top
  • Home
  • About
  • Services
    • SBA 8(a) Program Services
    • DBE Program
  • News
  • Contact
    • Initial Consultations
  • Our Blog
  • Pilot Course
  • Student Portal
Picture
Picture
Picture
Picture
© 2014 Holomua Consulting Group, LLC.  All Rights Reserved.