NEW FAR CLAUSE HEIGHTENS CYBERSECURITY STANDARDS FOR CONTRACTORS’ INFORMATION SYSTEMS

Overview

Earlier this year, the Department of Defense (DOD) issued a Final Rule adding a new clause to the Federal Acquisition Regulations (FAR) — FAR 52.204-21, which, in short, imposes fifteen specific requirements for contractor information systems possessing or transmitting “Federal contract information.” FAR 52.204-21 defines “Federal contract information” as any acquisition-related information not public and not purely for transactional purposes. This broad definition signifies the new clause will cover most federal contractors. Likewise, the clause flows down to subcontractors that “may have” federal contract information residing in or flowing through their systems.

Scope

The Government, whether rightly or wrongly, expresses the view that the Final Rule requires “only the most basic level of safeguarding.” See 81 Fed. Reg. 30441 (May 16, 2016). Consequently, contractors should expect frequent implementation of the FAR clause in future federal contracts. Furthermore, although the FAR excludes commercial items from the new requirements, the Government has proposed certain instances where “subcontracts for commercial items . . . at lower dollar values . . . would involve covered contractor information systems.” See id. Moreover, for all non-commercial procurements, FAR 52.204-21 is a mandatory flowdown to subcontractors. In short, the Final Rule’s breadth and scope highlight the Government’s expansion of cybersecurity regulations to protect both government information and the systems utilizing such information.

The Requirements

FAR 52.204-21 imposes fifteen specific requirements for information systems that store or transmit federal contract information. The requirements mirror those already employed by DFARS 252.204-7012. Compliance is required by December 2017. Despite the above-noted Government view that the new requirements are “basic,” contractors should consult with their in-house or external IT professionals to confirm implications upon their systems and contracts.

More detailed information regarding the new fifteen specific requirements of the Final Rule could be found at www.law.cornell.edu. Generally, they concern access to and maintenance of information systems. For more information on cybersecurity regulations or FAR compliance generally, Vandeventer Black’s Construction and Government Contracts Team attorneys are poised to help navigate those needs for our clients.