On May 16, four years after issuing a proposed rule, the FAR Council issued a final cybersecurity-related rule that reaches deep into the supply chain and is applicable to virtually all government contractors and subcontractors. The rule establishes a new FAR subpart 4.19 and a clause 52.204-21, both of which are entitled “Basic Safeguarding of Covered Contractor Information Systems.” The rule is effective for solicitations issued on or after June 15, 2016. A copy is available here.
The rule imposes safeguarding requirements for contractor information systems, as opposed to specific types of information maintained by government contractors, (which had been the focus of the proposed rule). It is meant to be broad in scope and to supplement, rather than supersede, other cybersecurity requirements that may be applicable to government contractors, such as the DFARS clause at 252.204-7012 on safeguarding and reporting breaches of covered defense information which took effect (and was amended several times) last year. The new FAR clause is required to be included in contracts and subcontracts at all tiers, including contracts and subcontracts for commercial items (except COTS items), where the contractor or subcontractor may have Federal contract information in or transiting through its information system. The clause effectively sets baseline standards for protecting non-public information relating to US government contracts. Indeed, the rule’s preamble states that its requirements are steps that “prudent” businesses would take irrespective of whether there was a FAR clause containing such requirements. The drafters recognize that the rule is a building block in an evolving set of cyber-related rules (including more stringent rules regarding controlled unclassified information and classified information) and expect the requirements to be the “floor” rather than the ceiling for government contractors.
The final rule includes several key definitions, including:
Federal contract information is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”
Information is defined as “any communication or representation of knowledge such as facts, data or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.”
Information system is defined as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing or disposition of information.”
Although the rule does not impose a specific reporting requirements for breaches (as does the DFARS rule mentioned above), it does impose 15 mandatory security controls applicable to contractor and subcontractor information systems. These controls are drawn from NIST SP 800-171, which contains the full set of 100+ standards that the DFARS rule (as amended) requires covered defense contractors to implement by the end of 2017. The 15 requirements specified by the FAR rule are as follows:
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Verify and control/limit connections to and use of external information systems.
- Control information posted or processed on publicly accessible information systems.
- Identify information system users, processes acting on behalf of users, or devices.
- Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
- Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
- Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- Identify, report, and correct information and information system flaws in a timely manner.
- Provide protection from malicious code at appropriate locations within organizational information systems.
- Update malicious code protection mechanisms when new releases are available.
- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Although many contractors are likely to already be complying with the requirements of the rule (many of which are phrased sufficiently broadly to allow flexibility in implementation), some of the requirements may be new to smaller contractors and subcontractors only tangentially involved in government contracting. Moreover, the rule includes some ambiguities, such as the reference to “reporting” in Requirement 12. Perhaps more significantly, each of these requirements is drawn from NIST SP 800-171, which many defense contractors have been assessing for purposes of compliance with the DFARS safeguarding clause and which gives contractors until December 2017 to complete implementation. However, as a result of this new FAR rule, covered defense contractors no longer have until the end of 2017 to implement 15 of the 100+ NIST SP 800-171 requirements; instead they will need to take steps to implement the 15 called for by the FAR rule by the middle of June just like civilian agency contractors and subcontractors that may not be subject to the DFARS rule. Finally, as with the DFARS provision, there is no explicit enforcement mechanism embedded in the clause. Nonetheless, contractors and subcontractors should consider taking steps to assess their compliance with the specified safeguarding standards in the final rule.