Final FAR Rule Requires Government Contractors to Safeguard Information Systems

On May 16, 2016, the U.S. Department of Defense, the General Services Administration, and the National Aeronautics and Space Administration (collectively, the “Federal Agencies”) published a final rule, which can be found here, that amends the Federal Acquisition Regulation (FAR) to add a new subpart – Subpart 4.19 — Basic Safeguarding of Covered Contractor Information Systems – and a new contract clause – FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.

The new subpart and FAR clause require basic safeguarding of federal contractor information systems that process, store or transmit federal contract information. Under the proposed rule, “federal contract information” means information not intended for public release but that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. The rule, however, does not include information that the Government provides to the public (such as on a public website) or simple transactional information (such as information necessary to process payments).

The new subpart and FAR clause applies to all acquisitions in which a contractor’s information systems may contain federal contract information, including acquisitions for commercial items other than commercially available off-the-shelf-items. Under the new rule, which become effective June 15, 2016, contractors are required to:

(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

(iii) Verify and control/limit connections to and use of external information systems.

(iv) Control information posted or processed on publicly accessible information systems.

(v) Identify information system users, processes acting on behalf of users, or devices.

(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

(x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

(xii) Identify, report, and correct information and information system flaws in a timely manner.

(xiii) Provide protection from malicious code at appropriate locations within organizational information systems.

(xiv) Update malicious code protection mechanisms when new releases are available.

(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Contractors are also required to flow-down the substance of the new FAR clause to subcontracts, including subcontracts for commercial items (other than subcontracts for commercially available off-the-shelf items), in which a subcontractor may have federal contract information residing in or transiting through its information system.

As the Federal Agencies stated in the preamble, the new rule is “just one step in a series of coordinated regulatory actions” that are being taken or planned to protect federal information systems. Indeed, the Federal Agencies anticipate that new FAR rules will be proposed to implement cybersecurity protections as they are developed by OMB that cover “controlled unclassified information” (CUI) in systems operated by contractors on behalf of the Government. Contractors should, therefore, monitor these information security developments.  The Amadeo Law Firm will publish updates as new rules and guidance are issued.