Safeguarding of Contractor Information Systems Final Rule Issued
The Department of Defense, General Services Administration, and National Aeronautics and Space Administration issued a final rule on the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information (“FCI”). Effective June 15, 2016, Federal Acquisition Regulation (“FAR”) 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, was created and will be included in all solicitations and new contracts. It will apply below the simplified acquisition threshold and will be a required flow down clause. It will not apply to commercial off-the-shelf items, but will apply to commercial items and to services where FCI occurs.
FCI is nonpublic information that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on a public website) or simple transactional information (such as to process payments). The clause was issued because it was determined that industry best practices and market forces just weren’t forcing contractors to do enough to specifically safeguard FCI. Accordingly, the clause provides for safeguarding of the contractor’s system, rather than specific information within the system, which can help relieve significant burden for companies.
The new FAR clause is intended to make it easier for contractors to comply with Federal Information Security Management Act and the National Institute of Standards and Technology requirements without imposing the time and cost burdens that a contractor would otherwise have to incur for compliance. There are 15 basic safeguarding requirements to protect covered contractor information systems, and these 15 controls are required “at a minimum” and described as security control requirements “reflective of actions a prudent business person would employ.”
There are still unknown issues with the language of the FAR clause, which only time will be able to clarify. For FCI that was received prior to the effective date of the rule, will contracting officers be issuing modifications to add this clause to contracts already awarded and thus require contractors to apply safeguard measures to that data? How will compliance of the safeguard measures be enforced?
The final ruling also stated that this is merely one step in a series of “coordinated regulatory actions.” As such, Cherry Bekaert will continue to follow any changes or new implications of this FAR clause. Feel free to contact your Cherry Bekaert GovCon professional to discuss how this new clause might impact you.