New Rule for Safeguarding Federal Contract Information

The FAR Councils have published a final rule to address the safeguarding of contractor information systems that contain or process information provided by or generated for the Government. This new regulation does not apply to information that is public. It addresses basic and enhanced safeguarding procedures for the protection of DoD unclassified information. These new rules apply to all acquisitions, including acquisitions of commercial items other than commercially available off-the-shelf items, when a contractor's information system may contain Federal contract information. The effective date is about a month out, June 17, 2016.

This new rule applies to information systems that are owned or operated by a contractor that processes, stores, or transmits Federal contract information. Federal contract information is information that is not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. It does not include information provided by the Government to the public or simple transactional information, such as necessary to process payments.

Information includes any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual. Information system, in this context, means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

So, what are the new expectations for safeguarding such information? Well, the FAR Councils have come up with a list of 15 basic safeguarding requirements and procedures.

1. Limit information system access to authorized users
2. Limit information system access to the type of transactions and functions that authorized users are permitted to execute.
3. Verify and control/limit connections to and use of external information systems.
4. Control information posted or processed on publicly accessible information systems.
5. Identify information system users, processes acting on behalf of users, or devices.
6. Authenticate the identities of those users, processes, or devices, as a prerequisite to allowing access to organization information systems.
7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
8. Limit physical access to organization information systems, equipment, and the respective operating environments to authorized individuals.
9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
10. Monitor, control, and protect organization communications.
11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
12. Identify, report, and correct information and information system flaws in a timely manner.
13. Provide protection from malicious code at appropriate locations within organizational information systems.
14. Update malicious code protection mechanisms when new releases are available.
15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

These safeguards are basically fundamental internal controls for any information system. Most likely, larger contractors already have them (or their equivalent) in place. Smaller contractors may have a bit of work to do, providing they are covered by the new rule. Even if not covered, contractors would do well to use this as a checklist for assessing the adequacy and sufficiency of internal controls over their own information systems.

The new rule contains a flow-down provision to subcontractors.