Part Two: FAR Ruling 52.204-21 Security Requirements

By Eric Noonan • June 21, 2016

This is part two of a continuing series on the Federal Acquisition Register ruling 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.  If you haven’t read part one, please take a few minutes to read it before continuing.

In May, the federal government announced an update to FAR 52.204-21 that would impose similar rules and requirements to the Defense Federal Acquisition Register rule 252.204-7012, Safeguarding Covered Defense Information. These requirements, although not explicitly tied to NIST 800-171, are characterized as comparable.  NIST 800-171 has been implemented as the requirements for DFARS.  These new regulations apply to contractors that are not part of the Department of Defense.

The new cybersecurity requirements, which are described below, are very similar to the 14 control families of NIST 800-171, however, these are the 15 requirement categories that federal contractors will be required to meet.

  1. Limit access to authorized users.
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify controls on connections to external information systems.
  4. Impose controls on information that is posted or processed on publicly accessible information systems.
  5. Identify information system users and processes acting on behalf of users or devices.
  6. Authenticate to verify the identities of users, processes, and devices before allowing access to an information system.
  7. Sanitize or destroy information system media containing Federal contract information before disposal, release, or reuse.
  8. Limit physical access to information systems, equipment, and operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices.
  10. Monitor, control, protect organization communications at external boundaries and key internal boundaries of information systems.
  11. Implement subnetworks for publically accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

These categories can apply to any solicitation and contract when the contractor or a subcontractor may have federal contract information residing in or transiting through its information system.  It does not apply to contracts for Commercial Off the Shelf (COTS) items.

One surprising item of note on the updated rules is that there were no reporting requirements to the Government mentioned anywhere in the clause.  Unlike DFARS, where a contractor has 72 hours to report an incident after discovery, the FAR rule does not impose any type of requirement.  However, this may change in the future because reporting incidents helps other organizations be on the lookout for similar suspicious activity or incidents within their own.

As more information becomes available, CyberSheath will be there to help you navigate your regulatory requirements.  Contact us today to learn how we can help you.

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO