On Monday, May 16, 2016, the Department of Defense (“DoD”), General Services Administration (“GSA”), and National Aeronautics and Space Administration (“NASA”) issued a long anticipated Final Rule amending the Federal Acquisition Regulation (“FAR”) to add a new subpart 4.19 and contract clause 52.201-21 for the safeguarding of the contractor information systems that process, store or transmit Federal contract information. The Final Rule, effective June 15, 2016, focuses on ensuring a basic level of safeguarding for any contractor system with Federal information, dictating fifteen security control requirements described in the Federal Register notice as reflecting “actions a prudent business person would employ.” The scope of the Final Ruleis broad and requires “only the most basic level of safeguarding” which Federal agencies are already required to follow internally and most businesses already follow as well.
The Final Rule states the contracting officer shall insert the clause at 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in solicitations and contracts when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system. The Final Rule, which is not applicable to the acquisition of commercially available off-the-shelf items, is intended to provide a basic set of protections for all Federal contract information and does not relieve the contractor of additional safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other safeguarding requirements for controlled unclassified information (“CUI”). Additional safeguarding standards not covered by this Final Rule, such as cyber incident reporting requirements, will apply to contractor systems containing CUI or higher-level sensitive information requiring more than the basic level of protection.
The Federal Register notice (available here) acknowledges this Final Rule is a step in a series of coordinated regulatory actions intended to strengthen protection of information systems. The notice states the Final Rule is, among other aims, intended to improve consistency, where appropriate, in safeguarding practices across agencies by clarifying the application of the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology (NIST) information systems requirements to contractors.
The full text of the Final Rule is available here.