Safeguarding Government Information on Contractor Information Systems

The FAR Councils published a proposal last Friday that addresses basic safeguards for contractor information systems that contain information provided by or generated for the Government (other than public information) that will be resident on or transiting through contractor information systems. "Basic protection measures" are first-level information technology security measures used to deter unauthorized disclosure, loss or compromise. Specifically, contractors will be required to provide protective measures in the following areas:

• public computers or web sites
• transmitting electronic information
• transmitting voice and fax information
• physical and electronic barriers
• sanitization (wiping hard drives)
• intrusion protection
• transfer limitations.

This proposed rule will apply to all contractors and subcontractors, regardless of size or business ownership. The FAR Councils do not believe the cost impact of compliance will be significant because first level protective measures are already employed at most locations as part of the routine course of doing business. The Councils believe that the cost of not employing first level protective measures could be very costly to both the Government and contractors if sensitive or valuable information is lost. In this case, the potential benefits greatly outweigh the cost.

You can read the full proposal here. Public comments are due by October 23rd.