This year has been marked by a number of important changes and updated contracting procedures aimed at improving the U.S. Federal Government’s cybersecurity systems. Against the backdrop of President Obama’s Cybersecurity National Action Program, launched earlier this year, a new Federal Acquisition Regulation (FAR) rule has recently arrived which addresses basic safeguarding of contractor information systems. This may seem innocuous at first, but the change should not be taken for granted by the contractor community.
In a collective effort, the General Services Administration (GSA) along with the Department of Defense (DoD) and the National Aeronautics and Space Administration (NASA), have implemented a Final Rule, adding a new subpart and a supporting contract clause to the FAR.
The amendment aims to reinforce strategic safeguarding measures of contractor information systems that convey “federal contract information.” This includes private information provided by or generated for government agencies through contracts intending to develop a product or service for an agency. The rule applies to all acquisitions including commercial items, not including commercial off-the-shelf items (“COTS”).
The Final Rule will apply to a contractor once they accept a contract that contains the new revision, FAR 52.204-21, defined as “Basic Safeguarding of Covered Contactor Information Systems.” The Government expects this clause to have an immediate impact once implemented, mandating the most basic level of safeguarding across a multitude of contracts.
Furthermore, Contracting Officers (COs) are required to include the new FAR 52.204-21 rule in solicitations and contracts when a contractor or subcontractor may have “federal contract information” residing in or transitioning through any of their information systems.
The Final Rule enacts a set of fifteen security control requirements for contractor information systems that contain fragile federal contract information.
The Final Rule does not relieve contractors of obligations presented by the safeguarding of distinct Government information. This includes controlled unclassified information (CUI) and covered defense information, both of which require additional protection through respective contractors.
As funds continue to roll out for the improvement of cyber capabilities government wide, contractors are highly encouraged to begin necessary system alignment immediately, in order to meet the new FAR requirements.
To identify current cyber vulnerabilities, federal contractors can conduct an assessment guided by an independent security auditor and NIST framework (SP 800-171 or SP 800-53a). They may also conduct routine cyber employee training, acquire cyber liability insurance and adopt a robust Incident Response Plan.
Since most organizations focus on both prevention and detection, using threat intelligence data is an important way to ensure continuous monitoring as new cyber threats emerge. Winvale created the Dark Web ID platform as a compensatory security measure that can be an effective, continuous monitoring tool for federal contractors and subcontractors. Contact us today to learn more.