- The U.S. federal government announced new Federal Acquisition Regulation (FAR) rules that set high-level standards for the basic safeguarding of contractor information systems that process, store or transmit federal contract information.
- The new FAR rules are effective July 15, 2016, and apply to all contractors except suppliers of commercial-off-the-shelf (COTS) products and federal contract information.
- Contractors should expect the addition of controlled unclassified information (CUI) protection standards to the FAR in the near future.
The U.S. federal government announced on May 16, 2016, new Federal Acquisition Regulation (FAR) rules that set high-level standards for the basic safeguarding of contractor information systems that process, store or transmit federal contract information (81 Fed. Reg. 30439). They create a new FAR section (4.19) and a new clause (52.204-21). The new rules finalize proposed revisions to the FAR first published in 2012. The regulations become effective on July 15, 2016.
New FAR Rules Impact Virtually All Federal Contractors
The FAR rules have a broader reach than the U.S. Department of Defense (DoD) interim cybersecurity regulations introduced in 2015. The DoD rules cover controlled unclassified information (CUI). The FAR rules apply to "covered contractor information systems," which are systems that are owned or operated by a contractor and that process, store or transmit federal contract information. "Federal contract information" means information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government (excluding public information). The breadth of this definition potentially captures contractor operational systems, such as billing and accounting. In other words, the regulations impact virtually all federal contractors and their information systems. The only exception is for procurements of commercial-off-the-shelf (COTS) products as defined in FAR 2.101, but this exception does not apply to "commercial item" procurements that do not qualify as COTS products.
FAR Protection Standards are High-level
The standards identified in the FAR rules are less specific than those included in the DoD CUI interim rules. The FAR cybersecurity safeguards focus on protecting the information systems themselves, as opposed to setting protection requirements based on the type of information within the systems, which is the approach taken by the DoD. On the other hand, the regulation's preamble characterizes the rules as "just one step in a series of coordinated regulatory actions ..." Contractors should expect the addition of CUI protection standards to the FAR in the near future.
The first set of CUI regulations will be based on the guidance issued by the Office of Management and Budget (OMB) in August 2015 (80 Fed. Reg. 4555). This guidance divides protection levels based on the system's function. Generally speaking, contractor systems operated on behalf of the government are subject to the standards set forth in National Institute of Standards and Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, which is a catalog of security and privacy controls for federal agencies. Internal contractor systems are subject to NIST SP 800-171, which establishes standards for federal contractors. There will also be FAR changes reflecting the 2015 National Archives and Records Administration (NARA) regulations instructing federal agencies how to classify and handle CUI (80 Fed. Reg. 26,501). While the NARA regulations primarily impact government agencies, some provisions, such as the marking of CUI and challenges to CUI designation, will affect contractors.
While the FAR CUI protections are further in the future, as of July 15, 2016, all federal contract information in covered systems will be subject to the 15 basic system protections contained in the new FAR rules:
- The limitation of information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems)
- The further limitation of information system access to the types of transactions and functions that the authorized users are permitted to execute
- Processes to verify, control and limit connections to and use of external information systems
- The control of information posted or processed on publicly accessible information systems
- A means to identify information system users, processes acting on behalf of users or devices
- Authentication or verification of the identities of those users, processes or devices as a prerequisite to allowing access to organizational information systems
- Assurance that information system media containing federal contract information will be sanitized or destroyed before disposal or release for reuse
- Restriction of physical access to organizational information systems, equipment and the respective operating environments to authorized individuals
- Controls on outsider visits, including escorting visitors and monitoring their activities, maintenance of audit logs of physical access and control of physical access devices
- Implementation of processes to monitor, control and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems
- The use of subnetworks for publicly accessible system components that are physically or logically separated from internal networks
- The ability to identify, report and correct information and information system flaws in a timely manner
- Sufficient safeguards to provide protection from malicious code at appropriate locations within organizational information systems
- The updating of malicious code protection mechanisms when new releases are available
- Performance of periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed
These requirements must be flowed down to subcontractors.
Beginning July 15, 2016, the vast majority of federal government contractors must have the capabilities to provide the information security protections identified above. DoD contractors, however, will have the additional responsibility of measuring their cybersecurity protections against the standards contained in the DoD CUI interim regulations in order to bid on affected contracts. Civilian contractors must anticipate CUI safeguarding regulations in the near future.
While the full range of cybersecurity requirements impacting government contractors is still in flux, contractors cannot afford to wait for a final uniform set of standards. Contractors should use available information – primarily the DoD rules and OMB proposal – to develop uniform processes to 1) identify CUI, 2) understand its source, location and usage, and 3) ensure consistent protective measures throughout their companies.