Cyber Rule to Safeguard Contractor System

GOVERNMENT CONTRACTING INSIGHTS DEFENSE CONTRACTING

Cyber Rule to Safeguard Contractor System

7/1/2016
By Susan B. Cassidy

Photo: iStock

The Defense Department, General Services Administration and NASA issued a final rule May 16 to add a new subpart and contract clause to the Federal Acquisition Regulation “for the basic safeguarding of contractor information systems that process, store, or transmit federal contract information.”

The focus of the final rule is on protecting contractor systems rather than specific government information. It imposes a set of 15 “basic” security controls for contractor information systems upon which federal contract information transits or resides.

Federal contract information is defined broadly as information provided by or generated for the government under a contract to develop or deliver a product or service. Federal contract information does not include either information provided by the government to the public, such as that found on public websites, or simple transactional information, such as that used for payment processing.

The vast majority of federal contractors will be subject to these requirements once they accept the new FAR clause.

Contracting officers are required to include this clause in “solicitations and contracts when the contractor or a subcontractor at any tier may have federal contract information residing in or transiting through its information system.”

Similarly, prime contractors must flow the substance of this clause to subcontractors — except for commercial suppliers — if that subcontractor “may have” federal contract information residing in or transiting through its information systems. This rule is limited to basic safeguarding of relevant information systems, and there are no requirements to report cyber incidents to the government.

The rule does not excuse other obligations imposed on contractors for the safeguarding of other government information, including controlled unclassified information or covered defense information.

The final rule is only the first step in a number of interrelated regulatory actions being taken in the cybersecurity area. Last summer, the Office of Management and Budget published draft guidance intended to improve and clarify cybersecurity protections in federal acquisitions. OMB proposed direction to federal agencies on “implementing strengthened cybersecurity protections in federal acquisitions for products or services that generate, collect, maintain, disseminate, store, or provide access to controlled unclassified information on behalf of the federal government.”

“Controlled unclassified” is defined as information that laws, regulations, or government-wide policies require to have safeguarding or dissemination controls, excluding classified information. The comments preceding the final rule explain that it is “intended to provide a basic set of protections for all federal contract information.” A single FAR clause eventually will apply the full set of National Institute of Standards and Technology requirements on contractors that have controlled unclassified information on their systems.

The rule characterizes the 15 security controls as “comparable” to NIST controls. The full set of NIST 800-171 security controls are imposed on Defense Department contractors with “covered defense information” on their systems.

Presumably, contractors that are in compliance with DFARS 252.204-7012 will be in compliance with this new FAR provision. Contractors will need to consult with their info-tech experts and factor in any 800-171 security controls that the company does not presently meet given DoD’s December 2017 implementation deadline.

The 15 security controls listed in the final rule are directed at protection of the information system, and none are devoted to perimeter devices, although some are applied at the perimeter of the system. They are:

• Limit access to authorized users.
• Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
• Verify controls on connections to external information systems.
• Impose controls on information that is posted or processed on publicly accessible information systems.
• Identify information system users and processes acting on behalf of users or devices.
• Authenticate or verify the identities of users, processes, and devices before allowing access to an information system.
• Sanitize or destroy information system media containing federal contract information before disposal, release, or reuse.
• Limit physical access to information systems, equipment, and operating environments to authorized individuals.
• Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices.
• Monitor, control, and protect organizational communications at external boundaries and key internal boundaries of information systems.
• Implement sub networks for publically accessible system components that are physically or logically separated from internal networks.
• Identify, report, and correct information and information system flaws in a timely manner.
• Provide protection from malicious code at appropriate locations within organizational information systems.
• Update malicious code protection mechanisms when new releases are available.
• Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

This rule represents only one step in a series of regulatory actions expected this year. Although it will apply to most contractors, the government views these requirements only as basic safeguarding that “prudent business persons” would implement on their systems.

Susan B. Cassidy is a partner with Covington & Burling LLP in Washington, D.C., and specializes in government procurement law.

Topics: Defense Contracting, Defense Contracting, Cyber

Comments (0)

Name *

Email *

Comment *

Please enter the text displayed in the image.

Characters *

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

I have read the legal notice.

Find an Article VIEW ALL ARTICLES