FAR Regulations Consulting Services
The Department of Defense (DoD), General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) issued a Final Rule for purposes of adding a new subpart and contract clause (52.204-21) to the Federal Acquisition Regulation (FAR) for the basic safeguarding of contractor information systems that process, store or transmit Federal contract information. (May 16, 2016).
The Rule imposes a set of fifteen (15) “basic” security controls for contractor information systems for which “Federal contract information” transits or resides. Federal contract information is defined as information provided by or generated for the Government under a contract to develop or deliver a product or service for the Government, but does not include either: (1) information provided by the Government to the public, such as on a website, or (2) simple transactional information, such as that needed to process payments. Based on the scope of the rule, the vast majority of federal contractors will be covered by this Rule once they accept the clause.
North America’s FAR 52.204-21 Experts
FAR 52.204-21 List of Security Controls
FLANK, federal compliance experts with years of FISMA and DFARS expertise, can help assist contractors in implementing all necessary security controls as mandated by the new FAR ruling. We offer comprehensive scoping & readiness assessments, remediation services, policies and procedures writing, and more. As for theses fifteen (15) "basic" security controls, they consist of the following:
1. Limit access to authorized users.
2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
3. Verify controls on connections to external information systems.
4. Impose controls on information that is posted or processed on publicly accessible information systems.
5. Identify information system users and processes acting on behalf of users or devices.
6. Authenticate or verify the identities of users, processes, and devices before allowing access to an information system.
7. Sanitize or destroy information system media containing Federal contract information before disposal, release, or reuse.
8. Limit physical access to information systems, equipment, and operating environments to authorized individuals.
9. Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices.
10. Monitor, control, and protect organizational communications at external boundaries and key internal boundaries of information systems.
11. Implement sub networks for publicly accessible system components that are physically or logically separated from internal networks.
12. Identify, report, and correct information and information system flaws in a timely manner.
13. Provide protection from malicious code at appropriate locations within organizational information systems.
14. Update malicious code protection mechanisms when new releases are available.
15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
The clause does not relieve the contractor of any other specific safeguarding requirement specified by Federal agencies and departments as it relates to covered contractor information systems generally or other Federal requirements for safeguarding Controlled Unclassified Information (CUI), such as DFARS compliance. Thus, systems that contain classified information, or CUI such as personally identifiable information, require more than the basic level of protection.
FAR 52.204-21, Safeguarding of Contractor Information Systems