Part Two: FAR Ruling 52.204-21 Security Requirements

This is part two of a continuing series on the Federal Acquisition Register ruling 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.  If you haven’t read part one, please take a few minutes to read it before continuing.

In May, the federal government announced an update to FAR 52.204-21 that would impose similar rules and requirements to the Defense Federal Acquisition Register rule 252.204-7012, Safeguarding Covered Defense Information. These requirements, although not explicitly tied to NIST 800-171, are characterized as comparable.  NIST 800-171 has been implemented as the requirements for DFARS.  These new regulations apply to contractors that are not part of the Department of Defense.

The new cybersecurity requirements, which are described below, are very similar to the 14 control families of NIST 800-171, however, these are the 15 requirement categories that federal contractors will be required to meet.

  1. Limit access to authorized users.
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify controls on connections to external information systems.
  4. Impose controls on information that is posted or processed on publicly accessible information systems.
  5. Identify information system users and processes acting on behalf of users or devices.
  6. Authenticate to verify the identities of users, processes, and devices before allowing access to an information system.
  7. Sanitize or destroy information system media containing Federal contract information before disposal, release, or reuse.
  8. Limit physical access to information systems, equipment, and operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices.
  10. Monitor, control, protect organization communications at external boundaries and key internal boundaries of information systems.
  11. Implement subnetworks for publically accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

These categories can apply to any solicitation and contract when the contractor or a subcontractor may have federal contract information residing in or transiting through its information system.  It does not apply to contracts for Commercial Off the Shelf (COTS) items.

One surprising item of note on the updated rules is that there were no reporting requirements to the Government mentioned anywhere in the clause.  Unlike DFARS, where a contractor has 72 hours to report an incident after discovery, the FAR rule does not impose any type of requirement.  However, this may change in the future because reporting incidents helps other organizations be on the lookout for similar suspicious activity or incidents within their own.

As more information becomes available, CyberSheath will be there to help you navigate your regulatory requirements.  Contact us today to learn how we can help you.