After nearly four years of planning and comments, DoD, GSA, and NASA issued a final rule today amending the Federal Acquisition Regulations (“FAR”) with a new Subpart 4-19 and a new contract clause 52.204-21 addressing the basic safeguarding of contractor information systems. Applicable to all acquisitions, including commercial items other than commercial off-the-shelf items (“COTS”), the Final Rule applies to any contractor information system that may contain “Federal contract information,” meaning “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” See FAR 4.1901. The term expressly excludes information provided by the Government to the public (e.g., on public-facing web sites) or simple transactional information, “such as that necessary to process payments.”
The new provisions address systems that process, store, or transmit Federal contract information by identifying fifteen (15) security control requirements “reflective of actions a prudent business person would employ.” Avoiding a direct reference to any pre-existing NIST standard, the rule’s new clause, at FAR 52.204-21(b), simply mandates a contractor apply the following “minimum” controls:
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Verify and control/limit connections to, and use of, external information systems.
- Control information posted or processed on publicly accessible information systems.
- Identify information system users, processes acting on behalf of users, or devices.
- Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
- Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- Escort visitors and monitor visitor activity, maintain audit logs of physical access, and control and manage physical access devices.
- Monitor, control, and protect organizational communications (e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- Identify, report, and correct information and information system flaws in a timely manner.
- Provide protection from malicious code at appropriate locations within organizational information systems.
- Update malicious code protection mechanisms when new releases are available.
- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Nothing in this list stands out as overly onerous or egregious, but the specifics of contractors’ reporting obligations are not provided. Control 12 in the foregoing list directs a contractor to “identify, report, and correct information and information system flaws in a timely manner.” What exactly constitutes a “timely manner” is not defined in the Final Rule, but may be worth exploring if the contracting agency does not further define its timeliness expectations. In this regard, it is important to recognize that the Final Rule does not relieve a contractor of any other specific safeguarding and reporting requirements specified by Federal agencies and departments (see, e.g., DFARS 252.204-7012) or that apply to systems that contain classified information or Controlled Unclassified Information (“CUI”).
The Final Rule also directs that the new clause found at FAR 52.204-21 be flowed down to all-levels of subcontracts, and is now to be included in the list of clauses found at FAR 52.213-4 Terms and Conditions – Simplified Acquisitions, and FAR 52.244-6, Subcontracts for Commercial Items. The flow-down, however, only applies to contracts when the subcontractor “may have Federal contract information residing in or transiting through its information system.”
While this Final Rule has been a long time coming, it should not be seen as the final word. In fact, the summary of the Final Rule notes that it is “just one step in a series of coordinated regulatory actions being taken or planned to strengthen protections of information systems.” So while affected contractors should align their systems meet these fundamental requirements, they should also know that, as with all things dealing with cybersecurity, this is but just the beginning.