GOVERNMENT CONTRACTING INSIGHTS DEFENSE CONTRACTING
Cyber Rule to Safeguard Contractor System
Photo: iStockThe Defense Department, General Services Administration and NASA issued a final rule May 16 to add a new subpart and contract clause to the Federal Acquisition Regulation “for the basic safeguarding of contractor information systems that process, store, or transmit federal contract information.”
The focus of the final rule is on protecting contractor systems rather than specific government information. It imposes a set of 15 “basic” security controls for contractor information systems upon which federal contract information transits or resides.
Federal contract information is defined broadly as information provided by or generated for the government under a contract to develop or deliver a product or service. Federal contract information does not include either information provided by the government to the public, such as that found on public websites, or simple transactional information, such as that used for payment processing.
The vast majority of federal contractors will be subject to these requirements once they accept the new FAR clause.
Contracting officers are required to include this clause in “solicitations and contracts when the contractor or a subcontractor at any tier may have federal contract information residing in or transiting through its information system.”
Similarly, prime contractors must flow the substance of this clause to subcontractors — except for commercial suppliers — if that subcontractor “may have” federal contract information residing in or transiting through its information systems. This rule is limited to basic safeguarding of relevant information systems, and there are no requirements to report cyber incidents to the government.
The rule does not excuse other obligations imposed on contractors for the safeguarding of other government information, including controlled unclassified information or covered defense information.
The final rule is only the first step in a number of interrelated regulatory actions being taken in the cybersecurity area. Last summer, the Office of Management and Budget published draft guidance intended to improve and clarify cybersecurity protections in federal acquisitions. OMB proposed direction to federal agencies on “implementing strengthened cybersecurity protections in federal acquisitions for products or services that generate, collect, maintain, disseminate, store, or provide access to controlled unclassified information on behalf of the federal government.”
“Controlled unclassified” is defined as information that laws, regulations, or government-wide policies require to have safeguarding or dissemination controls, excluding classified information. The comments preceding the final rule explain that it is “intended to provide a basic set of protections for all federal contract information.” A single FAR clause eventually will apply the full set of National Institute of Standards and Technology requirements on contractors that have controlled unclassified information on their systems.
The rule characterizes the 15 security controls as “comparable” to NIST controls. The full set of NIST 800-171 security controls are imposed on Defense Department contractors with “covered defense information” on their systems.
Presumably, contractors that are in compliance with DFARS 252.204-7012 will be in compliance with this new FAR provision. Contractors will need to consult with their info-tech experts and factor in any 800-171 security controls that the company does not presently meet given DoD’s December 2017 implementation deadline.
The 15 security controls listed in the final rule are directed at protection of the information system, and none are devoted to perimeter devices, although some are applied at the perimeter of the system. They are:
• Limit access to authorized users.
• Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
• Verify controls on connections to external information systems.
• Impose controls on information that is posted or processed on publicly accessible information systems.
• Identify information system users and processes acting on behalf of users or devices.
• Authenticate or verify the identities of users, processes, and devices before allowing access to an information system.
• Sanitize or destroy information system media containing federal contract information before disposal, release, or reuse.
• Limit physical access to information systems, equipment, and operating environments to authorized individuals.
• Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices.
• Monitor, control, and protect organizational communications at external boundaries and key internal boundaries of information systems.
• Implement sub networks for publically accessible system components that are physically or logically separated from internal networks.
• Identify, report, and correct information and information system flaws in a timely manner.
• Provide protection from malicious code at appropriate locations within organizational information systems.
• Update malicious code protection mechanisms when new releases are available.
• Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
This rule represents only one step in a series of regulatory actions expected this year. Although it will apply to most contractors, the government views these requirements only as basic safeguarding that “prudent business persons” would implement on their systems.
Susan B. Cassidy is a partner with Covington & Burling LLP in Washington, D.C., and specializes in government procurement law.