Part Two: FAR Ruling 52.204-21 Security Requirements

By Eric Noonan • June 21, 2016

This is part two of a continuing series on the Federal Acquisition Register ruling 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.  If you haven’t read part one, please take a few minutes to read it before continuing.

In May, the federal government announced an update to FAR 52.204-21 that would impose similar rules and requirements to the Defense Federal Acquisition Register rule 252.204-7012, Safeguarding Covered Defense Information. These requirements, although not explicitly tied to NIST 800-171, are characterized as comparable.  NIST 800-171 has been implemented as the requirements for DFARS.  These new regulations apply to contractors that are not part of the Department of Defense.

The new cybersecurity requirements, which are described below, are very similar to the 14 control families of NIST 800-171, however, these are the 15 requirement categories that federal contractors will be required to meet.

  1. Limit access to authorized users.
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify controls on connections to external information systems.
  4. Impose controls on information that is posted or processed on publicly accessible information systems.
  5. Identify information system users and processes acting on behalf of users or devices.
  6. Authenticate to verify the identities of users, processes, and devices before allowing access to an information system.
  7. Sanitize or destroy information system media containing Federal contract information before disposal, release, or reuse.
  8. Limit physical access to information systems, equipment, and operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices.
  10. Monitor, control, protect organization communications at external boundaries and key internal boundaries of information systems.
  11. Implement subnetworks for publically accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

These categories can apply to any solicitation and contract when the contractor or a subcontractor may have federal contract information residing in or transiting through its information system.  It does not apply to contracts for Commercial Off the Shelf (COTS) items.

One surprising item of note on the updated rules is that there were no reporting requirements to the Government mentioned anywhere in the clause.  Unlike DFARS, where a contractor has 72 hours to report an incident after discovery, the FAR rule does not impose any type of requirement.  However, this may change in the future because reporting incidents helps other organizations be on the lookout for similar suspicious activity or incidents within their own.

As more information becomes available, CyberSheath will be there to help you navigate your regulatory requirements.  Contact us today to learn how we can help you.

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMCEnclave: Add Versatility with a More Flexible Approach

The enclave approach to CMMC compliance is one of the most cost effective and least disruptive ways to safeguard CUI. You can maintain high-value custodial security of CUI without upending your existing processes, procedures, and people. That way, you can maintain the proper level of CMMC compliance and remain eligible…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.