In May 2016, the Department of Defense (DoD), General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) issued a Final Rule to add a new subpart and contract clause (52.204-21) to the Federal Acquisition Regulation (FAR) “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information.”
What does this mean for you? Let's start with a quick refresher on the FAR as a whole and then take a look at the update.
What is the FAR?
The FAR is a set of clauses that are part of the Code of Federal Regulations. The FAR is important because it describes the rules for contracting with the federal government. Federal government agencies—as well as government contractors that win a contract—are regulated by the FAR and must follow the procurement rules and policies set forth in the FAR.
FAR Clause 9.405-2 protects the government from subcontractors that are debarred, suspended, or proposed for debarment. The government identifies firms and individuals who are restricted from receiving certain subcontracts, and then it reviews contractor compliance during purchasing reviews.
In this case, debarment means the government has identified firms and individuals who are restricted (barred) from receiving contracts and certain subcontracts due to fraud, waste and/or abuse. For example, commission of fraud, embezzlement, theft, forgery, bribery, falsification or destruction of records, tax evasion, violating Federal criminal laws, receiving stolen property, engaging in unfair trade practices and a history of failing to meet performance standards are all causes for debarment.
The federal government places the responsibility on its prime contractors to protect it from subcontracting with these debarred firms and individuals.
Amendments to the FAR
The FAR is amended when the three government agencies—DoD, NASA, and GSA—governed by the FAR, along with the FAR Council, issue proposed and final rules under the “notice and comment” procedures established by the Administrative Procedure Act.
Depending upon how the regulation is promulgated, the number of comments received upon a proposed change, and other factors, the process of amending the FAR can take anywhere from months to years (and, in some cases, a change is proposed but not finalized).
May 2016’s Data Security FAR Amendment
The May 2016 amendment outlines basic requirements for securing data related to federal contracts, part of the government's ongoing effort to strengthen cybersecurity and provide a baseline of protection for all contractors. This rule applies to a contractor's IT systems, so any computer network containing protected government data will need to comply with the new regulations.
Effective June 15, 2016, contractors are required to ensure that the following information security safeguards are in place for the covered contractor information systems:
- Limit information system access to authorized users, processes, and devices.
- Limit information system access to permitted transactions and functions.
- Authenticate identities of users, processes, or devices as a prerequisite to accessing organizational information systems.
- Limit physical access to information systems, equipment, and operating environments.
- Monitor, control, and protect organizational communications at external boundaries and key internal boundaries of the information system.
- Provide protection from malicious code and update malicious-code protection mechanisms “when new releases are available.”
- Perform periodic scans of the information system and real-time scans of files from external sources as files are accessed.
These are basic cybersecurity requirements, and it’s likely that your company already has these or more stringent protections in place. However, it is your responsibility to ensure that these basic requirements are met.
If your company has a federal contract, the government expects you to be FAR compliant. The federal government reviews contractor compliance with the FAR during purchasing reviews, so it’s important to stay up to date with new rules and amendments. If there are any significant changes to the FAR, we will update this post accordingly.