The Federal Government continues to issue more and more cybersecurity rules, Executive Orders and guidance for federal contractors, and the latest addition is the Federal Acquisition Regulation Part 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems, published in June 2016. This new rule establishes new definitions of “Covered Contractor Information System”, “Federal Contract Information”, and outlines 15 new safeguarding requirements and procedures for federal contractors. FAR Part 52.204-21 supplements many other existing cybersecurity rules that Federal contractors have to already comply with.
When it comes to meeting cybersecurity requirements, the first question is whether the new rule applies. For example, vendors of commercial items may not be affected by the rule in the same way as contractors storing and managing government information containing non-public and sensitive data. The new rule applies to “Covered Contractor Information System” which is defined as an information system that is owned or operated by a contractor that processes, stores, or transmit Federal Contract Information. Thus, it is important to understand your specific contract requirements relating to such information, and to check whether your contract includes FAR Part 52.204-21. Most experts agree that this rule could have a very broad application.
What is “Federal Contract Information”?
It is information that is not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
What is “Safeguarding”?
The new rule defines “safeguarding” as measures or controls that are prescribed to protect information systems, and it lists 15 different security controls. Essentially, the security controls can be divided into (1) user controls, (2) use controls, and (3) information system controls. User controls involve limiting access to authorized users. Use controls refer to limiting the types of transactions and functions that authorized users are permitted to execute. Finally, information system controls refer to periodic scans of the information systems and real-time scans of files from external sources as they are being downloaded, opened or executed. Read the details of all the 15 requirements.
What Are Other Cybersecurity Requirements?
There are many. Probably, one of the most important ones is the new publication setting out the minimum standards on protecting controlled unclassified information.
The National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” is designed to help federal agencies in protecting the confidentiality of controlled unclassified information when it is stored on nonfederal information systems and organizations. This in turn means that federal contractors have to comply with the recommended requirements. This publication has been developed pursuant to the Federal Information Security Modernization Act of 2014.
What Are Some of the Best Ways to Satisfy the New 15 Cybersecurity Safeguarding Requirements and Procedures?
It all starts with appropriate policies and internal procedures, proper training, contingency planning, periodic assessments and remedial actions, and constant risk monitoring.
If you have further questions about the new cybersecurity rules, or require training, feel free to contact us.
About the Author:
Government Contract and Compliance Counsel
Wojciech Kornacki focuses on federal Government contract compliance, bid protests, and federal litigation. He represents clients in matters involving Government Accountability Office bid protests, federal agency debarments, Boards of Contract Appeals litigation, and Export Controls (ITAR and EAR) and Trade Agreements Act compliance.