What is the Federal Acquisition Regulation (FAR)?
The Federal Acquisition Regulation (FAR) is a substantial and complex set of rules governing the federal government’s purchasing process. Its purpose is to ensure purchasing procedures are standard and consistent, and conducted in a fair and impartial manner. FAR is the primary regulation for use by all executive agencies in their acquisition of supplies and services with appropriated funds. The FAR also contains standard solicitation provisions and contract clauses and the various agency FAR supplements. The FAR is issued and maintained jointly by the Secretary of Defense, Administrator of General Services and the Administrator, National Aeronautics and Space Administration. Procurement Executives in DOD, GSA and NASA are authorized to make revisions.
The Federal Acquisition Regulation (FAR), which had its beginnings in the Armed Services Procurement Regulation established in 1947, is a substantial and complex set of rules governing the federal government’s purchasing process. In order to do business with the federal government, you need to have a basic knowledge of what is in the Federal Acquisition Regulation (FAR) and how to use it. The relevant parts for small businesses include Part 19, Small Business Programs, and Part 52, which lists the standard terms and conditions contained in a government contract.
Suppliers to the US Government
If your company sells products to the U.S. government, you are required to comply with the minimum cybersecurity standards set by FAR 52.202.21. If your company produces products used by the Department of Defense (DoD), you may be required to comply with the minimum cybersecurity standards set by DFARS if those products aren’t commercially available off-the-shelf (COTS).
- FAR 52.202.21: Requires government contractors to follow 15 basic safeguarding requirements and procedures to protect systems used to collect, process, maintain, use, share, disseminate, or dispose of Federal Contract Information (FCI). These requirements are sometimes called the “FAR 15”.
- DFARS 252.204-7012: Requires contractors with CUI to follow NIST SP 800-171, report cyber incidents, report cybersecurity gaps
- DFARS 252.204-7019 (interim): Requires primes and subcontractors to submit self-assessment of NIST 800-171 controls through the Supplier Performance Risk System (SPRS)
- DFARS 252.204-7020 (interim): Requires primes and subcontractors give the DoD access to their infrastructure to verify the self-assessment (via DMCA); requires contractors roll requirements down to subcontractors
- DFARS 252.204-7021 (interim): Rolling out of the Cybersecurity Maturity Model Certification program over 5 years
What is FAR: 52.204-21?
FAR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”) states a similar definition (the original definition): “facts, data, or opinions… provided by or generated for the Government under a contract… [that’s] not provided to the public”. Originated in the year 2012, and established in 2016 prior to DFARS 7012, this regulation institution may come as a surprise to some simply because FCI is a relatively new term for those who are not familiar with federal contract regulations.
Some examples of FCI would be contract performance reports, organizational or programmatic charts, process documentation, etc. These are most likely provided by the Government, but some can originate for your people – that’s why clear labeling and communication with your contracting officer is key.
Another example CMMC provides in Access Control (AC) 1.003 is a scenario where your business development and proposal teams are creating an RFP/RFI/RFQ response to the DoD for a new contract or rebid. It is possible that in that proposal response, your company may include detailed processes, past performance, and contract information from existing or contracts from the recent past. This contract data in some cases may be clearly identified as FCI, or should at least be considered as FCI. It doesn’t mean the actual RFP is FCI. Those documents are public.
How does FAR 52.204-21 relate to Federal Cybersecurity Enforcement?
The Regulation broadly applies to “covered contractor information systems” that process, store, or transmit “Federal contract information.” These terms are interpreted expansively to cover any information provided by or transmitted to the Federal government in connection with contract performance. In other words, if the new clause is not included in your Federal contracts yet, it soon will be.
The Regulation imposes 15 “basic” security controls for contractors. The controls are intended to impose minimum safeguarding measures that the government believes any responsible contractor should have in place as part of the cost of doing business. A complete list of the security controls is available here.
For Federal contractors, the future is now. Cybersecurity requirements will soon be included in almost every Federal contract, so the only question is how to achieve and maintain compliance. The good news is that compliance with FAR 52.204-21 is a great first step. Again, the government considers the Regulation to be a basic safeguarding requirement that every responsible contractor should have in place. If your business does not have at least those 15 security controls covered right now, it is time to figure out why.
To track and maintain compliance with expanding requirements, we also recommend making Cybersecurity part of your Federal Business Ethics and Compliance Program. All Federal contractors have (or should have) a written Contractor Code of Business Ethics and Conduct. The Code should be a living document that your business routinely updates and uses in connection with internal audits and employee training. By adding Cybersecurity to your Ethics Program and written Code, you are ensuring that it becomes a part of your company’s culture. You are also increasing the likelihood that Cybersecurity breaches, or other instances of non-compliance, are identified by your Internal Control System – not by the government.
Cybersecurity is an emerging, complex subject – but that does not mean that the government will relax its enforcement efforts while your business gets up to speed. In fact, we think the opposite is true. Contractors that do not make Cybersecurity compliance a priority now will be behind the power curve and are more likely to face harsh consequences (including False Claims Act allegations, suspension, or debarment) later down the road.
Executive Branch agencies issue supplemental regulations that include purchasing rules unique to these agencies. Examples include:
- Department of Defense: Defense Federal Acquisition Regulations Supplement (DFARS)
- Navy: Navy Marine Corps Acquisition Regulation Supplement (NMCARS)
Compliance with FAR clause 52.204-21 should be viewed by contractors as a baseline Cybersecurity requirement – but it does not take the place of other, more complex requirements.
For example, DoD contractors must comply with DFARS 252.204-7012 (Safeguarding Covered Defense Information & Cyber Incident Reporting). The DFARS clause is more far-reaching than the FAR clause, and includes investigation and rapid reporting requirements for breach incidents. It also requires compliance with NIST 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) by no later than December 31, 2017.
DFARS 252.204-7012 is a Department of Defense (DoD) regulation that has become increasingly important for defense contractors and suppliers. Originally implemented in 2016, DFARS 252.204-7012 requires safeguarding of covered defense information (CDI) by implementing guidance found in NIST SP 800-171.
FAR: 52.204-21 Specifics: Basic Safeguarding of Covered Contractor Information Systems (Nov 2021)
(a) Definitions . As used in this clause—
Covered contractor information system means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information .
Federal contract information means information , not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information , such as necessary to process payments.
Information means any communication or representation of knowledge such as facts, data , or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009).
Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information ( 44 U.S.C. 3502).
Safeguarding means measures or controls that are prescribed to protect information systems.
(b) Safeguarding requirements and procedures.
(1) The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:
(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
(iii) Verify and control/limit connections to and use of external information systems.
(iv) Control information posted or processed on publicly accessible information systems.
(v) Identify information system users, processes acting on behalf of users, or devices.
(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
(viii) Limit physical access to organizational information systems, equipment , and the respective operating environments to authorized individuals.
(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
(x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
(xii) Identify, report, and correct information and information system flaws in a timely manner.
(xiii) Provide protection from malicious code at appropriate locations within organizational information systems.
(xiv) Update malicious code protection mechanisms when new releases are available.
(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
(2) Other requirements. This clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556.
(c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial products or commercial services, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system .