Cyber rule to safeguard contractor systems.

• Author: Cassidy, Susan Booth
• Position: Government Contracting Insights

The Defense Department, General Services Administration and NASA issued a final rule May 16 to add a new subpart and contract clause to the Federal Acquisition Regulation "for the basic safeguarding of contractor information systems that process, store, or transmit federal contract information."

[ILLUSTRATION OMITTED]

The focus of the final rule is on protecting contractor systems rather than specific government information. It imposes a set of 15 "basic" security controls for contractor information systems upon which federal contract information transits or resides.

Federal contract information is defined broadly as information provided by or generated for the government under a contract to develop or deliver a product or service. Federal contract information does not include either information provided by the government to the public, such as that found on public websites, or simple transactional information, such as that used for payment processing.

The vast majority of federal contractors will be subject to these requirements once they accept the new FAR clause.

Contracting officers are required to include this clause in "solicitations and contracts when the contractor or a subcontractor at any tier may have federal contract information residing in or transiting through its information system."

Similarly, prime contractors must flow the substance of this clause to subcontractors--except for commercial suppliers--if that subcontractor "may have" federal contract information residing in or transiting through its information systems. This rule is limited to basic safeguarding of relevant information systems, and there are no requirements to report cyber incidents to the government.

The rule does not excuse other obligations imposed on contractors for the safeguarding of other government information, including controlled unclassified information or covered defense information.

The final rule is only the first step in a number of interrelated regulatory actions being taken in the cybersecurity area. Last summer, the Office of Management and Budget published draft guidance intended to improve and clarify cybersecurity protections in federal acquisitions. OMB proposed direction to federal agencies on "implementing strengthened cybersecurity protections in federal acquisitions for products or services that generate, collect, maintain, disseminate, store, or provide access to controlled unclassified information on behalf of the federal...