Part Two: FAR Ruling 52.204-21 Security Requirements

By Eric Noonan • June 21, 2016

This is part two of a continuing series on the Federal Acquisition Register ruling 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.  If you haven’t read part one, please take a few minutes to read it before continuing.

In May, the federal government announced an update to FAR 52.204-21 that would impose similar rules and requirements to the Defense Federal Acquisition Register rule 252.204-7012, Safeguarding Covered Defense Information. These requirements, although not explicitly tied to NIST 800-171, are characterized as comparable.  NIST 800-171 has been implemented as the requirements for DFARS.  These new regulations apply to contractors that are not part of the Department of Defense.

The new cybersecurity requirements, which are described below, are very similar to the 14 control families of NIST 800-171, however, these are the 15 requirement categories that federal contractors will be required to meet.

  1. Limit access to authorized users.
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify controls on connections to external information systems.
  4. Impose controls on information that is posted or processed on publicly accessible information systems.
  5. Identify information system users and processes acting on behalf of users or devices.
  6. Authenticate to verify the identities of users, processes, and devices before allowing access to an information system.
  7. Sanitize or destroy information system media containing Federal contract information before disposal, release, or reuse.
  8. Limit physical access to information systems, equipment, and operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices.
  10. Monitor, control, protect organization communications at external boundaries and key internal boundaries of information systems.
  11. Implement subnetworks for publically accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

These categories can apply to any solicitation and contract when the contractor or a subcontractor may have federal contract information residing in or transiting through its information system.  It does not apply to contracts for Commercial Off the Shelf (COTS) items.

One surprising item of note on the updated rules is that there were no reporting requirements to the Government mentioned anywhere in the clause.  Unlike DFARS, where a contractor has 72 hours to report an incident after discovery, the FAR rule does not impose any type of requirement.  However, this may change in the future because reporting incidents helps other organizations be on the lookout for similar suspicious activity or incidents within their own.

As more information becomes available, CyberSheath will be there to help you navigate your regulatory requirements.  Contact us today to learn how we can help you.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security