Final FAR Cyber Rule Issued on Safeguarding of Contractor Systems

Final FAR Cyber Rule Issued on Safeguarding of Contractor Systems

May 16, 2016, Covington Alert

Today, the Department of Defense (DoD), General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) issued a Final Rule to add a new subpart and contract clause (52.204-21) to the Federal Acquisition Regulation (FAR) “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information.” See 81 Fed. Reg. 30439 (May 16, 2016). The Final Rule imposes a set of fifteen “basic” security controls for contractor information systems upon which “Federal contract information” transits or resides. Federal contract information is defined as information provided by or generated for the Government under a contract to develop a product or service for the Government, but does not include either: (1) information provided by the Government to the public, such as on a website, or (2) simple transactional information, such as that needed to process payments. Based on the scope of the Final Rule, the vast majority of federal contractors will be covered by this Final Rule once they accept the clause.