Federal contractors and subcontractors – including those in the construction industry – should be aware of the government’s final rule, effective June 15, 2016, amending the Federal Acquisition Regulation (FAR) concerning the basic safeguarding of contractor information systems that process, store, or transmit “Federal contract information.” The final rule added to the FAR a new subpart (§ 4.19) and a new contract clause (§ 52.204-21), establishing a set of fifteen minimum safeguarding measures or controls prescribed to protect information systems.
Because the new rule contains only a basic set of protections, the federal government intends for the new rule to have a very broad application. The new rule applies to all acquisitions, including commercial items other than commercially available off-the-shelf items (COTS), involving contractor information systems that may contain Federal contract information. (FAR 4.1902) “Federal contract information” is broadly defined to include any “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” Federal contract information excludes any information provided by the government to the public and “simple transactional information, such as that necessary to process payments.” (FAR 4.1901)
In line with the intent for the rule to apply broadly, contracting officers are required to include FAR 52.204-21 in any solicitations or contracts when a contractor or subcontractor may have Federal contract information in its system, but the rule does not take effect until the offeror is awarded the contract. Additionally, with the exception of COTS suppliers, contractors must “flow down” this clause to their subcontractors if the subcontractors may have Federal contract information residing in or transiting through their information systems. Although contractors will encounter FAR 52.204-21 mostly in new solicitations, there is also the possibility that it could be added to existing contracts through modification. Once a contractor or subcontractor accepts a contract containing FAR 52.204-21, it must comply with these fifteen safeguarding controls:
- Limit access to authorized users.
- Limit information system access to the types of transactions and functions that authorized users are allowed to execute.
- Verify and control/limit connections to and use of external information systems.
- Control information posted or processed on publicly accessible information systems.
- Identify information system users and processes action on behalf of users or devices.
- Authenticate (or verify) the identities of users, processes, or devices prior to allowing access to an information system.
- Sanitize or destroy information system media containing Federal contract information before disposal or release for reuse.
- Limit physical access to organization information systems, equipment, and operating environments to authorized individuals.
- Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
- Monitor, control, and protect organizational communications at external boundaries and key internal boundaries of the information systems.
- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- Identify, report, and correct information and information system flaws in a timely manner.
- Provide protection from malicious code at appropriate locations within organizational information systems.
- Update malicious code protection mechanisms when new releases are available.
- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Although not discussed in this article, Department of Defense contractors must meet more stringent security controls imposed by DFARS 252.204-7012; this was also recently amended.
All government contractors and subcontractors – including federal construction contractors and subcontractors – should examine their information systems and consult with their IT experts and legal counsel to make sure they are in compliance with these new safeguards. These changes should also serve as a reminder to examine existing contracts to make sure contractor information systems are in compliance with any existing safeguard obligations as this clause does not relieve the contractor from any other security obligations. These changes to the FAR are consistent with the recent regulatory actions being taken or planned to strengthen the protections of information systems, and contractors should implement these basic requirements now because more stringent requirements are likely coming.