Federal Contractors Now Subject to “Basic Safeguarding” Cybersecurity Requirements

As of June 15, 2016, the US Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) will require federal government contractors to apply 15 basic cybersecurity safeguarding requirements and procedures to protect their information systems. These safeguarding requirements are based on the security requirements published by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

Attend the Capital Edge Consulting Sponsored- Cybersecurity Summit for Government Contractors: Hot Topics, Trends and Emerging Issues September 15, 2016 at the Crown Plaza Tysons Corner in McLean, VA.

The new provisions cover systems that process, store, or transmit Federal contract information with fifteen basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls “reflective of actions a prudent business person would employ.”  Avoiding a direct reference to any pre-existing NIST standard, the rule’s new clause, at FAR 52.204-21(b), simply mandates a contractor apply the following “minimum” controls:

  1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify and control/limit connections to, and use of, external information systems.
  4. Control information posted or processed on publicly accessible information systems.
  5. Identify information system users, processes acting on behalf of users, or devices.
  6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
  8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity, maintain audit logs of physical access, and control and manage physical access devices.
  10. Monitor, control, and protect organizational communications (e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
  11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

For a complete review see federalregister.gov

Nothing on this list stands out as overly excessive, however, the specifics of contractors’ reporting obligations are unclear.  In the list, number 12 directs a contractor to “identify, report, and correct information and information system flaws in a timely manner.” The term “timely manner” is not defined in the Final Rule, but should be considered if the contracting agency does not further define its timeliness expectations.  In this regard, recognize that the Final Rule does not release a contractor of any additional specific safeguarding and reporting requirements specified by Federal agencies and departments (see, e.g., DFARS 252.204-7012) or that apply to systems that contain classified information or Controlled Unclassified Information (“CUI”).

The Final Rule also directs that the new clause found at FAR 52.204-21 be flowed down to all-levels of subcontracts, and is now to be included in the list of clauses found at FAR 52.213-4 Terms and Conditions – Simplified Acquisitions, and FAR 52.244-6, Subcontracts for Commercial Items.  The flow-down, however, only applies to contracts when the subcontractor “may have Federal contract information residing in or transiting through its information system.”

While the new rule has been in the process for quite some time, it should be seen as merely a step in terms of the final word.  The Final Rule actually states that it is “just one step in a series of coordinated regulatory actions being taken or planned to strengthen protections of information systems.”  Any contractors that are affected, should align their systems to meet these fundamental requirements and they should also expect this is just the beginning and prepare process and timeline documentation.

Please note, this final rule does not apply to the acquisition of COTS items because it is unlikely that acquisitions of COTS items will involve Federal contract information residing in or transiting through the contractor information system. Excluding acquisitions of COTS items reduces the number of small entities to which the rule will apply.

Want to receive regular feeds of our blogs, offer topic suggestions and get regular updates? Follow us on social links.

To learn more contact us:
T: 855-CAPEDGE (855-227-3343)  I  info@capitaledgeconsulting.com

Scroll to Top