This year has been marked by a number of important changes and updated contracting procedures aimed at improving the U.S. Federal Government’s cybersecurity systems. Against the backdrop of President Obama’s Cybersecurity National Action Program, launched earlier this year, a new Federal Acquisition Regulation (FAR) rule has recently arrived which addresses basic safeguarding of contractor information systems. This may seem innocuous at first, but the change should not be taken for granted by the contractor community.

Overview of the FAR Final Rule

In a collective effort, the General Services Administration (GSA) along with the Department of Defense (DoD) and the National Aeronautics and Space Administration (NASA), have implemented a Final Rule, adding a new subpart and a supporting contract clause to the FAR.

The amendment aims to reinforce strategic safeguarding measures of contractor information systems that convey “federal contract information.” This includes private information provided by or generated for government agencies through contracts intending to develop a product or service for an agency. The rule applies to all acquisitions including commercial items, not including commercial off-the-shelf items (“COTS”).

Contractors with a Commercial Items Practice should take note of the additional safeguarding measures.

How the Final Rule Will Impact Contractors

The Final Rule will apply to a contractor once they accept a contract that contains the new revision, FAR 52.204-21, defined as “Basic Safeguarding of Covered Contactor Information Systems.” The Government expects this clause to have an immediate impact once implemented, mandating the most basic level of safeguarding across a multitude of contracts.

Furthermore, Contracting Officers (COs) are required to include the new FAR 52.204-21 rule in solicitations and contracts when a contractor or subcontractor may have “federal contract information” residing in or transitioning through any of their information systems.

The Final Rule enacts a set of fifteen security control requirements for contractor information systems that contain fragile federal contract information.

These rules include:

1. Limit access to authorized users.
2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
3. Verify controls on connections to external information systems.
4. Impose controls on information that is posted or processed on publicly accessible information systems.
5. Identify information system users and processes acting on behalf of users or devices.
6. Authenticate or verify the identities of users, processes, and devices before allowing access to an information system.
7. Sanitize or destroy information system media containing federal contract information before disposal, release, or reuse.
8. Limit physical access to information systems, equipment, and operating environments to authorized individuals.
9. Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices.
10. Monitor, control, and protect organizational communications at external boundaries and key internal boundaries of information systems.
11. Implement sub networks for publically accessible system components that are physically or logically separated from internal networks.
12. Identify, report, and correct information and information system flaws in a timely manner.
13. Provide protection from malicious code at appropriate locations within organizational information systems.
14. Update malicious code protection mechanisms when new releases are available.
15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

The Final Rule does not relieve contractors of obligations presented by the safeguarding of distinct Government information. This includes controlled unclassified information (CUI) and covered defense information, both of which require additional protection through respective contractors.

As funds continue to roll out for the improvement of cyber capabilities government wide, contractors are highly encouraged to begin necessary system alignment immediately, in order to meet the new FAR requirements.

The Final Rule is only a preliminary step in a vast series of regulatory developments in the cybersecurity industry.

To identify current cyber vulnerabilities, federal contractors can conduct an assessment guided by an independent security auditor and NIST framework (SP 800-171 or SP 800-53a). They may also conduct routine cyber employee training, acquire cyber liability insurance and adopt a robust Incident Response Plan.

Since most organizations focus on both prevention and detection, using threat intelligence data is an important way to ensure continuous monitoring as new cyber threats emerge. Winvale created the Dark Web ID platform as a compensatory security measure that can be an effective, continuous monitoring tool for federal contractors and subcontractors. Contact us today to learn more.