Effective June 15, 2016, the Federal Acquisition Regulation (FAR) has a new amendment which covers basic safeguarding of all “covered” Contractor Information Systems relating to Controlled Unclassified Information (CUI). This amendment has been four years in the making and covers the General Services Administration (GSA), Department of Defense (DoD), and National Aeronautics and Space Administration (NASA).
The rule mandates 15 security controls will go into effect on June 15, 2016. According to the clause the Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:
- Limiting information system access to authorized users, processes acting on behalf of authorized users, or devices;
- Limiting information system access to the transactions and functions that authorized users are allowed to make;
- Verifying and controlling connections to external information systems;
- Controlling information posted or processed on publicly accessible information systems;
- Verifying the identity of users, processes or devices before allowing access to information systems;
- Sanitizing or destroying information system media containing federal contract information before disposal or release;
- Limiting physical access to information systems, equipment and the respective operating environments to authorized individuals;
- Escorting visitors and monitoring their activity;
- Monitoring, controlling and protecting information the systems transmit or receive at their external and internal boundaries;
- Implementing sub-networks for publicly accessible system components that are separated from internal networks;
- Identifying, reporting and correcting information and information system flaws in a timely manner;
- Protecting against malicious code;
- Updating malicious code protection mechanisms when new releases come out; and
- Periodically scanning the information systems and performing real-time scans of files from external sources as files are downloaded, opened or executed.
This clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556. Some comfort can be taken in the fact that the rule states that as long as the safeguards are in place, failure of the controls to adequately protect the information does not constitute a breach of contract.
The clause only flows down to “Covered” contractor information systems. “Covered” Contractor Information Systems applies to contracts when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system. The rule excludes the applicability to COTS items, at both the prime and subcontract level. Of note is that there may be subcontracts for commercial items (especially services, e.g., a consultant) at lower dollar values that would involve covered contractor information systems. In such instances, it is still necessary to apply basic safeguards to such Covered contractor information system.
For the small business, a ERP product will cover the company to the extent that the product is enabled as required and the business has strict procedures in place that are followed to incorporate the 15 security controls. So long as the administrator can easily manage users, give/take back authorizations, monitors activities, and keeps a log, the business can prove compliance with the rule.