FAR Final Cybersecurity Rule Sets Basic Level of Safeguarding

The Federal Acquisition Regulation (FAR) Council has
issued a final rule, effective June 15th, requiring government contractors to
implement a basic level of safeguards on their contractor information
systems.  The final rule includes 15 requirements for
the safeguarding of contractor systems that “process, store or transmit Federal
contract information.” “Federal contract information”  is broadly defined to include information
that is not public and that is “provided by or generated for the Government
under a contract to develop or deliver a product or services to the
Government.”

The final FAR rule is in addition to other cybersecurity
safeguarding rules and requirements specified by Federal agencies.  Unlike the Defense FAR Supplement rule that
we previously reported on, which requires compliance
with NIST 800-171 but provides a mechanism for contractor deferment of final
implementation until December 31, 2017, the new FAR rule will apply immediately
in all contracts and procurements in which it is included.  The rule applies to all procurements,
including procurements of commercial items (CI) other than commercially
available off-the-shelf (COTS) items. 
Contractors will be required to flowdown the new rule to their
subcontracts for the acquisition of supplies or services, including CI other
than COTS items, if the subcontractor may have Federal contract information
“residing in or transiting through its information system”.

Stay alert for the inclusion of the new rule, 52.204-21
Basic Safeguarding of Covered Contractor Information Systems (JUN 2016), in
your procurements, and in requests for bilateral modifications of your existing
contracts.   Compliance with the new rule
may increase your costs and risks of performance.  If you would like more information on the new
rule and how it may affect you, please contact Susan Warshaw Ebner.