The Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) recently issued a final rule aimed at ensuring a basic level of protection for covered contractor information systems. The new rule is just one in a series of regulatory actions being taken or planned to strengthen protections for information systems. It is intended to establish a basic set of protections on which other rules, like the forthcoming Federal Acquisition Regulation (FAR) rule to protect controlled unclassified information (CUI), may build.
In response to comments on the proposal rule, the focus of the final rule was changed from protecting specific information contained in a system to safeguarding covered contractor information systems, which are defined as contractor owned information systems that process, store, or transmit Federal contract information. In this regard, “Federal contract information” means “means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.”
The government considers the protections required under the rule to be those that a prudent business would employ even if it were not covered by the rule. The rule does not relieve contractors of any other requirements imposed on a contractor in connection with CUI or higher-level sensitive information.
The rule creates a new contract clause, FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems, which requires contractors to apply, at a minimum, the following fifteen security controls:
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems);
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute;
- Verify and control/limit connections to and use of external information systems.
- Control information posted or processed on publicly accessible information systems;
- Identify information system users, processes acting on behalf of users, or Devices;
- Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems;
- Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse;
- Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals;
- Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices;
- Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems;
- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks;
- Identify, report, and correct information and information system flaws in a timely manner;
- Provide protection from malicious code at appropriate locations within organizational information systems;
- Update malicious code protection mechanisms when new releases are available; and
- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
The new contract clause must be included in all solicitations and contracts when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system. And prime contractors must flow it down in every subcontract (including subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items) in which the subcontractor may have Federal contract information residing in or transiting through its information system.
Eric Whytsell is responsible for the contents of this Article.
© 2016 Jackson Kelly PLLC