Federal Contractors Must Comply With Basic Safeguarding Requirements for Information Systems

Alerts / May 24, 2016

On May 16, 2016, the Department of Defense (“DoD”), General Services Administration (“GSA”) and National Aeronautics and Space Administration (“NASA”) issued a long-anticipated Final Rule amending the Federal Acquisition Regulation (“FAR”) to add a new subpart and contract clause “for the basic safeguarding of contractor information systems that process, store or transmit Federal contract information.” The Final Rule, published at 81 Fed. Reg. 30439, requires federal contractors to implement minimum safeguards for certain information systems “reflective of actions a prudent business person would employ” to protect federal contract information on these systems.

The Final Rule prescribes the new FAR contract clause 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” for solicitations and contracts under which a contractor or subcontractor “may have Federal contract information residing in or transiting through” their information systems. The clause itself “applies to all acquisitions” where a contractor’s information systems “may contain Federal contract information.” This includes acquisitions below the simplified acquisition threshold, and only commercially available off-the-shelf items are exempt from the Final Rule. The scope and applicability of the Final Rule is intentionally broad “because [the] rule requires only the most basic level of safeguarding.”

The Final Rule’s requirements apply to “covered contractor information system[s],” which broadly include any information system “owned or operated by a contractor that processes, stores, or transmits Federal contract information.” The definition of “Federal contract information” is very broad and generally covers nonpublic information “provided by or generated for the Government under a contract to develop or deliver a product or service to the Government[.]”

The FAR contract clause identifies 15 performance-based security safeguards that contractors must implement to protect their covered information systems. These controls include, among others: (i) limiting system access to authorized users to the types of transactions and functions that authorized users are permitted to execute; (ii) sanitizing or destroying information system media containing federal contract information before disposal or release for reuse; (iii) limiting physical access to organizational information systems, equipment and their operating environment to authorized individuals; (iv) escorting visitors and monitoring visitor activity, including maintenance of an audit log of physical access; and (v) monitoring, controlling and protecting organizational communications at the external and key internal boundaries of the information systems. In addition, contractors must flow down the FAR contract clause to subcontractors for subcontracts “in which the subcontractor may have Federal contract information residing in or transiting through its information system.”

Because the Final Rule imposes only minimum standards, it does not affect any other safeguarding requirements that may be specified in contracts involving sensitive information such as Controlled Unclassified Information. Contractors assessing any needed changes to their security processes are advised that more changes are on the way, as DoD, GSA and NASA see the Final Rule as just one step in a larger “plan to develop regulatory changes for the FAR in coordination with National Archives and Records Administration (NARA) which is separately finalizing a rule to implement E.O. 13556 addressing CUI.”

The Final Rule becomes effective on June 15, 2016. Because the Final Rule prescribes only basic safeguards based on what the DoD, GSA and NASA perceive to be common practice in the private sector, many contractors are likely already in compliance. Nevertheless, federal contractors should review their information security practices to ensure that they are in accord with the requirements of the Final Rule; additionally, while the Final Rule is limited only to information systems that may store or transmit federal contract information, contractors should consider the cost-effectiveness of implementing these safeguards on a broader basis in order to avoid inadvertent noncompliance.

Any questions regarding the new requirements may be directed to Barron Avery at or 202.861.1705 .

Authorship credit: W. Barron A. Avery

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.

Related Services