A new rule proposed for federal government contractors will require that all federal contracts over $100,000 (including contracts for commercial items and those to small businesses) will have to include a clause requiring the contractor to implement basic data security protections for any non-public data provided to the contractor by the federal government or generated by the contractor for the government. If the rule is adopted, it will require that any such non-public information residing on or passing through a contractor’s information system be protected from unauthorized access and disclosure. The Department of Defense, the General Services Administration and the National Aeronautics and Space Administration all recognize that an outgrowth of the requirements for federal agencies to provide security for information and information systems that support federal agency operations, as set forth under the Federal Information Security Act of 2002, includes the information and information systems managed by contractors.
Specific requirements include prohibitions on:
- Processing government non-public information on public computers (e.g., kiosks or hotel business centers), on computers that lack access control or through web sites that lack user access controls such as ID/passwords or user certificates;
- Transmitting email, text messages or other communications of government non-public information without using encryption and other best practices to provide security and privacy;
- Using voice or fax transmittal of government non-public information unless the sender has a “reasonable assurance” that access to the communication is limited to authorized recipients;
- Failing to protect government non-public information with both physical and electronic barriers to access;
- Failing to sanitize physical media (disk drives, CDs, flash memory, etc.) of all government non-public information before releasing or disposing of the media;
- Failing to implement and maintain current releases of anti-virus/antispyware software and failing to promptly apply security-relevant operating system and application software upgrades; and
- Transferring government non-public information to subcontractors or other third-parties that are not contractually bound to the contractor to implement these same protections.
Contractors whose work requires use of classified, sensitive, personal or health related data have been subject to strict data security requirements for many years. This is the first time that a data security rule applicable to such a broad swath of government contractors has been proposed. Its requirements are relatively modest, reflecting a standard of care already common in industry. It does emphasize that federal agencies are under considerable Congressional pressure to reduce the government’s exposure to data security breaches through one of its most vulnerable access points – the contractors agencies employ to perform numerous functions requiring access to non-public data.
If this rule is made final and provisions are passed through to government contracts, contractors of all sizes will need to evaluate their information systems and written information security programs in order to maintain compliance.
Comments on the proposed rule are being accepted through October 23, 2012 at www.regulations.gov (Cite FAR Case 2011-020).