On Monday, the highly anticipated FAR final rule concerning required contractor IT security protections for federal contract information was issued by the FAR Council. The intent of the new rule is to "ensur[e] a basic level of safeguarding for any contractor system with Federal information." The measures described in the rule have been characterized by the FAR Council as "actions a prudent business person would employ" and "basic safeguarding measures that are generally employed as part of the routine course of doing business."
In a change of approach from the proposed rule, the final rule provides for safeguarding contractor IT systems themselves, as opposed to the specific information in the IT systems. The final rule makes clear that the specified safeguards are only required for those "covered" contractor systems that contain "Federal contract information." The FAR Council acknowledged that the definition of what constitutes "Federal contract information" was purposefully broad – encompassing all non-public information "provided by or generated for the Government under a contract." In essence, the safeguards described in the rule are the most basic protections that most companies employ even absent a rule.
The final rule requires the contracting officer to include FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in all solicitations for contracts that may require "Federal contract information" to reside in or transit through a contractor's (or a subcontractor's) IT systems. The clause applies to all transactions, including those below the simplified acquisition threshold, except for sales of COTS products. Contractors are required to flow the clause down to subcontractors if subcontractor IT systems may process, store, or transmit "Federal contract information."
The rule also makes clear that it does not supplant any other requirements, including the forthcoming rules relating to protections for controlled unclassified information (CUI) as addressed by Executive Order 13556. (For an overview of the maze of cybersecurity regulations applicable to government contractors, see our October 2015 article).
The final rule, available here , is effective June 15, 2016.
The specific safeguarding measures called for in the rule are as follows:
(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
(iii) Verify and control/limit connections to and use of external information systems.
(iv) Control information posted or processed on publicly accessible information systems.
(v) Identify information system users, processes acting on behalf of users, or devices.
(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
(x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
(xii) Identify, report, and correct information and information system flaws in a timely manner.
(xiii) Provide protection from malicious code at appropriate locations within organizational information systems.
(xiv) Update malicious code protection mechanisms when new releases are available.
(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
In light of the new rule, contractors should assess the state of their current IT systems and protections to ensure compliance. Companies that undertake good faith efforts to comply with the FAR clause requirements will be best positioned to avoid breach of contract claims in the event of a data leak or hacking incident. Companies should also carefully vet subcontractors that will carry or transmit government information and data to ensure that their IT security is up to par.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved