Government contractors soon may be compelled to protect against the compromise of information that is resident on their network and computer systems. The Federal Acquisition Regulatory Council (FAR Council) issued on August 24 a proposed rule on “Basic Safeguarding of Contractor Information Systems”. 77 Fed. Reg. 51,495 (Aug. 24, 2012). The proposal would add a new FAR subpart and contract clause requiring small and large contractors, including commercial items contractors, to employ basic security measures to protect information from unauthorized disclosure, loss, or compromise.
The proposed FAR clause would mandate “basic safeguarding” measures for information “provided by or generated for” the government which “resides on or transits through [contractor] information systems.” Required protective measures would include:
• Public computers: A prohibition on processing information on public computers (e.g., public kiosks, hotel business centers) and computers that do not have a form of access control.
• Public websites: A prohibition on posting government information on websites that do not control access by user ID/password, user certificates, or other technical means.
• Electronic communications: Transmission of email, text messages, blogs, and similar communications using technology and processes that provide “the best level of security and privacy available, given facilities, conditions, and environment.”
• Voice and fax communications: Transmission of voice and fax messages only when the sender has a “reasonable assurance that access is limited to authorized recipients.”
• Physical and electronic barriers: Protection of information by at least one physical and one electronic barrier (e.g., locked container or room, login and password) when not under direct individual control.
• Mobile media: Sanitizing media such as flash drives and external hard drives before disposal.
• Intrusion protection: Regularly updating malware protection measures (e.g., anti-virus, anti-spyware) and applying security-relevant software upgrades (e.g., patches, service-packs, and hot fixes).
• Subcontractors: Transmission of information to subcontractors only when they require such information for purposes of contract performance, and when they comply with the FAR clause (which is a mandatory flowdown).
By its own terms, the clause would apply broadly to nearly all federal contracts and orders—including those for commercial items and commercially available off-the-shelf items—when the contractor’s information system may contain information provided by or generated for the government. The clause would not apply to “public information,” defined as information that an agency discloses, disseminates, or makes available to the public.
Several key terms of the proposed FAR clause are open to interpretation. For example, no guidance is offered on the contours of “best level of security and privacy” or the concept of “reasonable assurance that access is limited to authorized recipients.” The meaning of these phrases may come to depend in part on technical guidance offered by the National Institute of Standards and Technology (NIST), which issues security guidelines on topics such as intrusion detection, media sanitization, and cloud computing. Contractors that operate through cloud-based platforms (such as web-based e-mail systems) and large data centers will need to consider the impact of the ultimate FAR rule and whether changes to applicable agreements will be required.
Most sophisticated government contractors—and particularly those contractors that are already subject to contractual security plans and compliance obligations stemming from the Federal Information Security Management Act (FISMA)—have long observed information security safeguards, including the measures named in the proposed rule. But many contractors will need to review or adjust their security protocols in light of the proposed rule.
Importantly, although the Federal Information Security Management Act (FISMA) is cited as statutory authority for the foregoing requirements, the proposed FAR clause does not expressly extend the full FISMA risk management framework to all contractors and subcontractors subject to the clause. The clause would nonetheless represent the first uniform government-wide contract clause rooted in FISMA, which was part of the E-Government Act (Public Law 107-347) of 2002.
Although comprehensive cybersecurity legislation fizzled this year, the proposed FAR clause telegraphs the direction of federal agencies relative to contractor information systems.
Comments on the proposed rule must be submitted on or before October 23, 2012.