On May 16, 2016, the FAR Council issued a Final Rule in the Federal Register that requires federal government contractors and subcontractors to take safeguards to protect systems that process, store or transmit information relating to U.S. Government contracts. The New Rule will become effective on June 15, 2016, and will be implemented by incorporation of a new FAR clause 52.204-21 in many government contracts and subcontracts. Only contracts and subcontracts for COTS products are exempt from the rule.
The new FAR clause requires contractors to employ security measures to protect systems that process, store or transmit "federal contract information," which is defined to include potentially any information that is provided by or generated for the Government under a federal government contract. While public information and simple transactional information necessary to process payments are expressly exempt, it is unclear what might constitute simple transactional information, or whether any contractor business systems would normally be limited to only these types of exempt information.
The FAR clause identifies 15 different measures deemed minimally necessary to safeguard contractor information systems handling federal contract information. These measures include, among others, user verification and authentication, limitations on the types of transactions and functions authorized per user, destruction of covered system media before disposal or reuse, physical security controls, monitoring of organizational communications, timely identification and correction of system flaws, protection against malicious code, implementation of up-to-date releases of security software, and periodic and real-time scanning of files. The Final Rule explains that these safeguards are considered a baseline upon which other more stringent agency specific and other regulatory controls may apply; it explains that the most stringent applicable information security controls will prevail.
The most notable implication of the Final Rule may not relate to the actual information security requirements, but rather to the potentially expansive application of these requirements to companies and their systems. While contracts for COTS products are exempt, it would take only a single contract or subcontract for other than COTS products to implicate the new security requirements, and in such event every system that may process, store or transmit federal contract information would be subject to at least the minimum security measures identified in the clause. Moreover, the FAR defines subcontracts broadly and sometimes ambiguously. As a result, most companies providing products or services at any tier within the federal acquisition supply chain likely will become subject to the security standards identified in the Final Rule. All contractors and subcontractors should promptly take steps to consider the compliance of their systems.