Coming to a Government Contract Near You: Mandatory Information Safeguarding Requirements

Justin A. Chiarodo,  Philip E. Beshara, and Heather L. Petrovich

The government recently finalized a sweeping amendment to the Federal Acquisition Regulation (“FAR”) that will impose basic information system safeguarding requirements on many federal acquisitions, marking the latest in the continuing government effort to regulate and enhance cybersecurity protections in the industry. The Final Rule, effective June 15, 2016, imposes fifteen basic safeguarding requirements for contractors with information systems containing information provided by, or generated for, the government under a federal contract.

Though many contractors likely maintain information security standards that meet or exceed the new rule, they should confirm their compliance status by assessing these requirements against their current cybersecurity compliance program (to help mitigate the risk of a breach of contract claim or more serious enforcement action). This should include confirming that the requirement is flowed down to subcontractors where appropriate.

The new Rule (available here) broadly applies to all federal contractors and subcontractors with information systems that process, store, or transmit “federal contract information” (i.e., information provided by, or generated for, the government under a federal contract). These safeguarding requirements will be imposed on most acquisitions (including acquisitions below the simplified acquisition threshold and commercial item procurements). The only exception is the acquisition of commercial-off-the-shelf (“COTS”) items. Contractors and subcontractors must also flow down the requirements to all subcontracts where the subcontractor may have federal contract information residing in—or transiting through—its information systems.

While the Rule imposes 15 new requirements, they are characterized as “basic” security controls. Indeed, many companies will already be familiar with these standards, as most, if not all, are employed as standard best practices. Several are drawn directly from the National Institute of Standards and Technology (“NIST”) guidelines applicable to federal agencies. Importantly, the Rule does not impact the considerably higher safeguarding standards governing contractors dealing with Controlled Unclassified Information (“CUI”) or classified information.

Compliance with these safeguards may not only shield a contractor from liability in the event of an inadvertent release of information, but as the government indicated in its commenting on the Rule, the failure of a contractor to maintain the required safeguards may constitute a breach of a contract. Nonetheless, the security controls set forth in the Rule represent standard industry best practices and should be implemented by any prudent contractor regardless of the presence of covered information. To this end, any company doing business with the federal government should look to these guidelines as representative of the types of essential practices it should employ.

The Final Rule will be implemented through FAR Subpart 4.19 and a new contract clause (FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems”). The 15 requirements are set forth below:

1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
3. Verify and control/limit connections to and use of external information systems.
4. Control information posted or processed on publicly accessible information systems.
5. Identify information system users, processes acting on behalf of users, or devices.
6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
10. Monitor, control, and protect organizational communications (e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
12. Identify, report, and correct information and information system flaws in a timely manner.
13. Provide protection from malicious code at appropriate locations within organizational information systems.
14. Update malicious code protection mechanisms when new releases are available.
15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.