United States: New Baseline IT Security Requirements For All Government Contracts And All Subcontracts At All Tiers (Except COTS Items)

Regulation - Parts 4, 7, 12, and 52, click here to view.

Starting June 15, 2016 a new clause, FAR 52.204-21 "Basic Safeguarding of Covered Contractors Information Systems" will appear in solicitations and resulting contracts and subcontracts. The primary focus of the new clause is fifteen "basic safeguarding requirements and procedures." Though the general consensus is that these obligations are not terribly onerous, conventional wisdom dictates that it is one thing to take actions as a matter of business choice and a very different thing to take those actions as contractual obligation with the Government.

Additionally, because these obligations are viewed as a bare minimum that all companies should already employ to protect their own commercial operations, the only applicable exception is for COTS Items at all tiers.

A New Term of Art: "Federal Contract Information"

The applicability of the new contract clause, FAR 52.204-21, turns on the new term of art "Federal contract information" which is defined as "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments." FAR Final Rule 81 Fed. Reg. 30439, 30441 (May 16, 2016) The Intention was for the clause to be broad. The comments express some concern over the breadth of the new rule to which the government responds that the new safeguards are very basic and only applicable to those systems which contain government contract information.

Burden on Small Commercial Service Providers

Based on the broad definition of "Federal contract information" virtually any contract deliverable that is information or contains information will invoke the new rule and its accompanying safeguards. However, the new rule states "This subpart applies to all acquisitions, including acquisitions of commercial items other than commercially available off-the-shelf items, when a contractor's information system may contain Federal contract information." (FAR 4.1902 emphasis added). Therefore, a contractor or subcontractor may limit the required application of the new rule to only those systems which contain Federal contract information, "if the contractor stores preexisting proprietary data or trade secrets in a separate information system, the contractor can decide how to protect its own information" FAR Final Rule 81 Fed. Reg. 30439, 30441 (May 16, 2016).

Although the burden weighs most heavily on smaller service providers they may also share the greatest potential risk as the perceived weakest links.

Wake Up Call for Commercial Item/Service Subcontractors

Companies who are generally in the posture of a subcontractor providing commercial services or commercial products should also take note as the increased scrutiny on prime contractors and the broad applicability to subcontractors at all tiers will undoubtedly result in increased scrutiny of subcontractors.

The Required Safeguards

• Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
• Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
• Verify and control/limit connections to and use of external information systems.
• Control information posted or processed on publicly accessible information systems.
• Identify information system users, processes acting on behalf of users, or devices.
• Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
• Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
• Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
• Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
• Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
• Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
• Identify, report, and correct information and information system flaws in a timely manner.
• Provide protection from malicious code at appropriate locations within organizational information systems.
• Update malicious code protection mechanisms when new releases are available.
• Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

New Burden—New Costs

Though the Final Rule is written for the contract clause (FAR 52.204-21) to come into effect via new solicitations contracting officers are also beginning to add the clause through modification. As with all bilateral modifications, contractors are well-counseled to consider what additional costs they may need to incur and to raise those prior to signing the modification and losing their primary leverage. Contractors must also be careful to examine those existing contracts to make sure they have been in full compliance with any existing IT security obligations. The clause makes clear that the new safeguarding obligations do not relieve a contractor of any other IT security obligations. (FAR 52.204-21(b)(2)) No small equitable adjustment will make up for a gap in IT security revealed through a poorly conceived cost change discussion.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.