Part Three: FAR Ruling 52.204-21 Definitions

By Eric Noonan • July 19, 2016

This is part three of a continuing series on the Federal Acquisition Register ruling 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.  If you haven’t read part one or part two,  please take a few minutes to read it before continuing.

The recent FAR ruling, released with input from the General Services Administration (GSA) and the National Aeronautics and Space Administration (NASA), have expanded on definitions that affect contractor organizations that process or store Federal contract information on behalf of the federal government in support of government contracts.  This post with explore the definitions in an attempt to bring a little clarity to the vague terms that apply to these systems.

Covered contractor information system:  This is an umbrella term covering unclassified information systems that are owned or operated by a contractor.   A covered contractor information system can apply to a single system, or multiple systems networked together.  File servers, data backup systems, desktop, and mobile endpoints can be considered a covered contractor information system if it processes, stores or transmits Federal contract information.

Federal contract information: This means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. This does not include information provided by the Government to the public (such as that on public web sites) or simple transactional information, such as that necessary to process payments.

Information system: This term as defined by FAR clause 52.204-21, is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.  The traditional definition of an information system is any organized system for the collection, organization, processing, storage, and communication of information.  Organizations and people use information systems to collect, filter, process, create and distribute data often times using networked computers.  A typical information system is made up of hardware, software, data, policies and procedures, people, and feedback.

Information: Traditionally, information is defined as facts provided about something or someone or something that is conveyed or represented by a particular arrangement.  In the context defined by FAR clause 52.204-21, this term means any communication or representation of knowledge such as facts, data or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.  It is important to note that any medium is covered under this definition, so the focus will not just be electronic systems, but also safeguarding digital and non-digital media.

Whether your organization is just learning about the new FAR ruling for the first time, or you are updating your security controls to be compliant, CyberSheath can help you.  Don’t wait to begin your path to compliance.

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO

CMMC CON 2022 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.