New FAR Subpart Requires Government Contractors to Safeguard Information Systems

Over the summer, a new subpart was added to the Federal Acquisition Regulation (FAR) that adds to contractor compliance requirements.  Effective June 15, 2016, GSA, NASA, and the DoD issued a final rule to add new clause and Subpart 4.19 for the protection of contractor information systems that “process, store or transmit Federal contract information.”–federalregister.gov

The clause applies to any contractor system with federal information; the goal of the language is to be “reflective of actions a prudent business person would employ” and is one of several regulatory measures coordinated with other government agencies to guard information systems.  For example, DoD updated a DFARS rule regarding safekeeping of select, sensitive DoD information in certain information systems.

FAR Subpart 4.19 Basic Safeguarding of Covered Contractor Information Systems is defined here:

https://www.federalregister.gov/articles/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems#h-47

Noteworthy Items:

·  Contracting Officers will insert clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in solicitations and contracts where the contractor or a sub could have Federal contract information “residing in or transiting through its information system”.

·  The rule applies to all Federal contractors and subcontractors, including those below the simplified acquisition threshold, if the contractor has Federal contract information “residing in or transiting through its information system”.

·  There are no reporting or recordkeeping requirements associated with the rule. Compliance expectations include basic measures such as updating virus protection software, so contractors are not anticipated to incur significant costs.

·  The rule does not apply to the procurement of commercially available off-the-shelf (COTS) items.