<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=172201676667353&amp;ev=PageView&amp;noscript=1">

CVM Supplier Diversity Blog

What is the Federal Acquisition Regulation? And Why Is Being FAR Compliant Important?

In May 2016, the Department of Defense (DoD), General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) issued a Final Rule to add a new subpart and contract clause (52.204-21) to the Federal Acquisition Regulation (FAR) “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information.”

What does this mean for you? Let's start with a quick refresher on the FAR as a whole and then take a look at the update.

What is the Federal Acquisition Regulation?

The Federal Acquisition Regulation is a set of clauses that are part of the Code of Federal Regulations. The FAR is important because it describes the rules for contracting with the federal government. Federal government agencies—as well as government contractors that win a contract—are regulated by the FAR and must follow the procurement rules and policies set forth in the FAR.

FAR Clause 9.405-2 protects the government from subcontractors that are debarred, suspended, or proposed for debarment. The government identifies firms and individuals who are restricted from receiving certain subcontracts, and then it reviews contractor compliance during purchasing reviews.

JUST RELEASED: 2019 State of Supplier Diversity Reports  Read Now »

In this case, debarment means the government has identified firms and individuals who are restricted (barred) from receiving contracts and certain subcontracts due to fraud, waste and/or abuse. For example, commission of fraud, embezzlement, theft, forgery, bribery, falsification or destruction of records, tax evasion, violating Federal criminal laws, receiving stolen property, engaging in unfair trade practices and a history of failing to meet performance standards are all causes for debarment.

The federal government places the responsibility on its prime contractors to protect it from subcontracting with these debarred firms and individuals.

Amendments to the FAR

The FAR is amended when the three government agencies—DoD, NASA, and GSA—governed by the FAR, along with the FAR Council, issue proposed and final rules under the “notice and comment” procedures established by the Administrative Procedure Act.

Depending upon how the regulation is promulgated, the number of comments received upon a proposed change, and other factors, the process of amending the FAR can take anywhere from months to years (and, in some cases, a change is proposed but not finalized).

May 2016’s Data Security FAR Amendment

The May 2016 amendment outlines basic requirements for securing data related to federal contracts, part of the government's ongoing effort to strengthen cybersecurity and provide a baseline of protection for all contractors. This rule applies to a contractor's IT systems, so any computer network containing protected government data will need to comply with the new regulations.

Effective June 15, 2016, contractors are required to ensure that the following information security safeguards are in place for the covered contractor information systems:

  • Limit information system access to authorized users, processes, and devices.
  • Limit information system access to permitted transactions and functions.
  • Authenticate identities of users, processes, or devices as a prerequisite to accessing organizational information systems.
  • Limit physical access to information systems, equipment, and operating environments.
  • Monitor, control, and protect organizational communications at external boundaries and key internal boundaries of the information system.
  • Provide protection from malicious code and update malicious-code protection mechanisms “when new releases are available.”
  • Perform periodic scans of the information system and real-time scans of files from external sources as files are accessed.

These are basic cybersecurity requirements, and it’s likely that your company already has these or more stringent protections in place. However, it is your responsibility to ensure that these basic requirements are met.

If your company has a federal contract, the government expects you to be FAR compliant. The federal government reviews contractor compliance with the FAR during purchasing reviews, so it’s important to stay up to date with new rules and amendments. If there are any significant changes to the FAR, we will update this post accordingly.

Click here to ensure you are FAR Compliant  

Subscribe to Our Blog



For over a decade CVM's mission has remained unchanged: lead the transformation of Supplier Diversity program management and support Supplier Diversity programs. CVM helps corporate supplier diversity programs in every stage of their evolution; from those that are just getting started, to the most advanced, world-class programs. Equipped with unparalleled data intelligence, superior technology and expertise guidance, businesses can effectively establish and advance their Supplier Diversity initiatives.