On May 15, a new Federal Acquisition Regulation (FAR) final rule was collectively issued by the General Services Administration (GSA), National Aeronautics and Space Administration (NASA), and the Department of Defense (DoD) titled “Basic Safeguarding of Contractor Information Systems”. Sounds innocent enough, doesn’t it?
Among other things, the new rule lists 15 basic safeguarding requirements and procedures that shall be applied in order to better protect information systems (IS). They’re written at a fairly high-level in order to allow for an implementation appropriate to the system without needing to be explicitly defined. Two examples are: 1) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and 2) Verify and control/limit connections to and use of external information systems. These may sound familiar to IT and security professionals who have experiences with the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-53, 800-53A, 800-171 and system accreditations under the government Risk Management Framework (RMF) processes. For those government contractors never having the experience and familiarity with implementing these types of procedures, they soon will.
The reason for this new exposure is due to the scope of applicability for this new rule. With few exceptions, these safeguards will need to be applied to any contractor owned system that processes, stores or transmits Federal contract information. For the most part if you have work under a Federal contract, the IS used will need to comply with these 15 security controls. A distinguishing characteristic of this new rule is the security controls are directed at protection of the contractor’s information system itself and not specifically the government information and/or data.
Reading through the discussions and responses from the government, they understand the breadth of applicability for this new rule, but consider the required security controls to be a basic level of protection. They see this level of protection as being the minimum level that a prudent business would apply in the course of their normal business practices, and little additional work should be required by a contractor in order to comply with the new rule.
I would recommend that any company having government contracts review the new rule available at https://www.federalregister.gov/articles/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems#p-125 and determine if their current IS protections will comply with the security controls.
You must be logged in to reply to this topic.