The document summarizes a new Final Rule added to the Federal Acquisition Regulation (FAR) that imposes basic cybersecurity safeguarding requirements for contractor information systems containing federal contract information. The Final Rule was implemented by the GSA, DoD, and NASA, and requires contractors to implement 15 security controls for information systems storing federal contract data. It represents a preliminary regulatory step but encourages contractors to begin aligning systems to meet the new FAR requirements.
Yar Chaikovsky ABA Section of Intellectual Property Law Division VII — Infor...
FAR 'Final Rule' Blog
1. New FAR ‘Final Rule’ Imposes Security Safeguard Requirementsfor
Contractor Information Systems
PostedbyDaniel Gardneron May 24, 2016 3:47:30 PM
Thisyear hasbeenmarkedbya numberof importantchangesandupdatedcontractingproceduresaimedatimproving
the U.S. Federal Government’scybersecuritysystems.Againstthe backdropof PresidentObama’s Cybersecurity
National ActionProgram, launchedearlierthisyear,anew Federal AcquisitionRegulation(FAR) rule hasrecentlyarrived
whichaddressesbasicsafeguardingof contractorinformationsystems.Thismayseeminnocuousatfirst,butthe change
shouldnotbe takenfor grantedby the contractor community. Despitesmall timebusinessescontributingtothe
majorityof Multiple AwardSchedules’total revenue,ITstart-upswithemergingstate of the arttechnologyhave foundit
increasinglydifficulttojointhischannel.
Overview of the FAR Final Rule
In a collective effort,the GeneralServicesAdministration(GSA) alongwiththe Departmentof Defense (DoD) andthe
National AeronauticsandSpace Administration(NASA),have implementeda Final Rule,addinga new subpartand a
supportingcontractclause to the FAR.
The amendmentaimstoreinforce strategic safeguardingmeasuresof contractorinformationsystemsthatconvey
“federal contractinformation.”Thisincludesprivate informationprovidedbyorgeneratedforgovernmentagencies
throughcontracts intendingtodevelopaproductor service foran agency.The rule appliestoall acquisitionsincluding
commercial items,notincludingcommercialoff-the-shelf items(“COTS”).
Contractors with a Commercial Items Practice should take note of the additional safeguarding measures.
How the Final Rule Will Impact Contractors
The Final Rule will applytoa contractor once theyaccept a contract that containsthe new revision,FAR52.204-21,
definedas“BasicSafeguardingof CoveredContactorInformationSystems.”The Governmentexpectsthisclause tohave
an immediate impactonce implemented,mandatingthe mostbasiclevelof safeguardingacrossamultitude of
contracts.
Furthermore,ContractingOfficers(COs)are requiredtoincludethe new FAR52.204-21 rule insolicitationsand
contracts whena contractor or subcontractormay have “federal contractinformation”residinginortransitioning
throughany of theirinformationsystems.
The Final Rule enactsa set of fifteensecuritycontrol requirementsforcontractorinformationsystemsthatcontain
fragile federal contractinformation.
2. These rules include:
o Limitaccessto authorizedusers.
o Limitinformationsystemaccesstothe typesof transactionsand functionsthatauthorizedusersare permittedto
execute.
o Verifycontrolsonconnectionstoexternal information systems.
o Impose controlsoninformationthatispostedorprocessedonpubliclyaccessibleinformationsystems.
o Identifyinformationsystemusersandprocessesactingonbehalf of usersordevices.
o Authenticate orverifythe identitiesof users,processes, anddevicesbefore allowingaccesstoan informationsystem.
o Sanitize ordestroyinformationsystemmediacontainingfederal contractinformationbefore disposal,release,orreuse.
o Limitphysical accesstoinformationsystems,equipment,andoperatingenvironmentstoauthorizedindividuals.
o Escort visitorsandmonitorvisitoractivity,maintainauditlogsof physical access,control andmanage physical access
devices.
o Monitor,control,and protectorganizational communicationsatexternal boundariesandkeyinternal boundariesof
informationsystems.
o Implementsubnetworksforpublicallyaccessible systemcomponentsthatare physicallyorlogicallyseparatedfrom
internal networks.
o Identify,report,andcorrectinformationandinformationsystemflawsina timelymanner.
o Provide protectionfrommaliciouscode atappropriate locationswithinorganizationalinformationsystems.
o Update maliciouscode protectionmechanismswhennew releasesare available.
o Performperiodicscansof the informationsystemandreal-time scansof filesfromexternal sourcesasfilesare
downloaded,opened,orexecuted.
The Final Rule doesnotrelieve contractorsof obligationspresentedbythe safeguardingof distinctGovernment
information.Thisincludescontrolledunclassifiedinformation(CUI) andcovereddefenseinformation,bothof which
require additional protectionthroughrespectivecontractors.
As fundscontinue toroll outforthe improvementof cybercapabilitiesgovernmentwide,contractorsare highly
encouragedtobegin necessarysystemalignmentimmediately,inordertomeetthe new FARrequirements.
The Final Rule is only a preliminary step in a vast series of regulatory developments in the cybersecurity
industry.
To identifycurrentcybervulnerabilities,federal contractorscanconduct an assessmentguidedbyanindependent
securityauditorandNISTframework(SP800-171 or SP 800-53a). Theymay alsoconductroutine cyberemployee
training,acquire cyberliabilityinsurance andadoptarobust IncidentResponse Plan.
Since mostorganizationsfocusonbothpreventionanddetection,usingthreatintelligence dataisanimportantwayto
ensure continuousmonitoringasnewcyberthreatsemerge.Winvalecreatedthe Dark WebID platform as a
compensatorysecuritymeasurethatcan be an effective,continuousmonitoringtool forfederal contractorsand
subcontractors. Contact us today to learnmore.