On Monday, May 16, 2016, the FAR Council is expected to issue its long- awaited final FAR rule ("the Final Rule") on safeguarding contractor information systems. This rule, effective immediately, creates a new contract clause, FAR 52.204-21, that requires government contractor information system safeguarding whenever "federal contract information" is resident on or transiting contractor information systems. It applies broadly to prime contractors and subcontractors, including commercial item contractors.
The Final Rule follows a proposed rule that was issued back on August 24, 2012. Since then, as we've noted in prior alerts, there have been extensive developments in the cyber area for government contractors, including most recently:
- DOD's covered defense information ("CDI") clause
- NARA's controlled unclassified information ("CUI") program
- OMB's draft guidance related to safeguarding CUI
The Final Rule clearly is intended to be a baseline of security controls, to be supplemented by additional agency or contract-specific obligations, including future changes in security requirements.
The Final Rule requires contractors—both prime and subcontract—to safeguard information systems containing “federal contract information.” This information type is new. It is not referenced in DOD's CDI clause, or in the NARA or OMB materials addressing safeguarding of CUI.
"Federal contract information" is defined in the Final Rule to mean non-public information "that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government." The use of the phrase "generated for the Government" is quite broad, but the FAR Council rejected a comment suggesting the narrower "delivered to the Government." In this way, while the information that triggers the protection must have a nexus to the development or delivery of a product or service to the government, the preamble to the Final Rule makes clear that the "intent is that the scope and applicability of this rule [will] be very broad." In essence, the Final Rule creates a set of obligations for virtually any contractor doing business with the federal government.
The Final Rule imposes 15 security controls on contractors. These controls are fairly standard security requirements. They include requirements related to access control, identification and authentication, and system monitoring, all considered necessary to establish a basic level of cyber hygiene for contractors. The controls are drawn from the NIST 800-171 "basic" and "derived" security requirements that NIST developed to address the safeguarding of controlled unclassified information. Unlike the DFARS CDI clause, there is no grace period for implementation; the controls are mandatory obligations that are required at the time of contract award.
But on the bright side, non-DOD contractors subject to the FAR clause are not obligated to comply with each of the 100-plus NIST 800-171 controls. For example, the NIST 800-171 multi-factor authentication control is not a requirement of the Final Rule. Nor are there any training obligations or system control description obligations. Contractors working to comply with the NIST 800-171 requirements under the DFARS CDI clause should consider prioritizing implementation of the Final Rule's 15 controls to ensure immediate compliance with those obligations in connection with new awards. But compliance with these specific controls should not impose a significant additional burden on many contractors.
And in other good news, the Final Rule, at least for now, contains no reporting requirement for cyber breaches or other incidents. It also notes that a cyber breach will not be considered a breach of contract "as long as the safeguards are in place."
The preamble to the Final Rule notes that the rule is just "one step" in what will be a series of "coordinated regulatory actions being taken or planned to strengthen protections of information systems." In addition to this rule, for example, the FAR will be revised to implement the cybersecurity guidance issued by OMB when it is finalized. The FAR will also be revised to incorporate NARA's forthcoming rule regarding the safeguarding of CUI.
It is unclear why, after waiting almost four years, the FAR Council did not wait a little longer and issue this rule when it could be harmonized with those other government initiatives. Nevertheless, even though future changes in this area are inevitable, contractors should immediately conduct a gap analysis of their security controls to ensure compliance with the FAR Council's baseline set of controls.