Effective June 15, 2016, government contractors must apply basic safeguarding measures to their information systems, pursuant to a recent final rule amending the Federal Acquisition Regulation (FAR). The rule will apply to contracts in which a prime contractor or subcontractor (at any tier) may have federal contract information residing in or transiting through its information system. The only exception to the rule is contracts for commercially available off-the-shelf (COTS) items. Therefore the rule will have broad applicability, including contracts with civilian agencies, below the simplified acquisition threshold, and contracts and subcontracts with small businesses and suppliers of non-COTS commercial items.
According to the rule's preamble, the "basic safeguarding measures" set forth in the Rule are "generally employed as part of the routine course of doing business" and are described as being "reflective of actions a prudent business person would employ." These measures will be captured in FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information System, and are summarized as follows:
- Implement access controls for authorized users, processes, devices, transactions, and functions;
- Verify and control/limit connections to and use of external information systems;
- Control information posted or processed on publicly accessible information systems;
- Identify information system users, processes acting on behalf of users, or devices;
- Authenticate (or verify) identifications of users, processes, or devices prior to information system access;
- Sanitize or destroy media containing Federal Contract Information prior to disposal or release for reuse;
- Implement physical access controls;
- Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices;
- Monitor, control, and protect external and internal organizational communications;
- Segment subnetworks for publicly accessible systems;
- Provide for timely identification, reporting, and correction of system flaws;
- Control for insertion of malicious code and update protection as needed;
- Perform periodic scans of the system and real-time scans of files from external sources.
These measures must be flowed down to subcontracts in which the subcontractor may have federal contract information residing in or transiting through its information system.
The Rule is not focused on the protection of specific information, but rather the safeguarding of "covered contractor information systems," which is defined as an "information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information."
Agency contracting officers are instructed to insert the Basic Safeguarding clause in contracts when the prime contractor or a subcontractor at any tier may have federal contract information residing in or transiting through its information system. Federal contract information is defined as "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments."
The Rule does not draw a line between types of information, but rather provides a basic set of protections for all federal contract information that will then be built upon by other rules, such as for controlled unclassified information (CUI). For contractors processing CUI or higher-level sensitive information, additional safeguarding standards will apply.
How to Prepare for the Basic Safeguarding Rule
The definition of "federal contract information" ("information not intended for public release") creates ambiguity, and the fact that a determination must be made at the outset by a contracting officer likely means that the contract provision will be applied more often than necessary. As such, federal contractors and subcontractors should prepare themselves for compliance with this new FAR provision.
Operations Implications: Contractors and subcontractors must consider both the operational and technical requirements of the Basic Safeguarding rule. Protecting against malicious code and performing scans of information systems reflect more routine and intuitive requirements under the rule. However, contractors must also apply physical security, provide escorts, and monitor visitor activity as part of their operations. Contractors must pay attention to the full range of requirements to ensure basic safeguards are met.
Reporting Obligations: Although "basic" in name, the Basic Safeguarding rule imposes a reporting obligation when a contractor or subcontractor identifies "information system flaws." Contractors and subcontractors must ensure they have the capacity to timely detect information system flaws, and be prepared to report those flaws appropriately to prime contractors and/or customer agencies. Reporting obligations likely will be a significant consideration as prime contractors and subcontractors negotiate subcontracts.
Seeking Clarification from Agencies: Contractors and subcontractors should watch for inclusion of the Basic Safeguarding clause in upcoming solicitations. If a contractor does not anticipate having federal contract information reside in or transit through its information system, it should inquire with the contracting officer during the solicitation's question and answer process to better understand why the agency believes basic safeguarding is necessary under the contract.