The Proposed New FAR Rule Establishing Basic Requirements for Safeguarding Contractor Information Systems Is Finally Here
August 31, 2012
By: Eric Whytsell
Last week, the Department of Defense (DoD), the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) proposed a long-awaited new rule establishing requirements for the safeguarding of contractor information systems that contain or process nonpublic Government information. Basic Safeguarding of Contractor Information Systems, 77 Fed. Reg. 51496 (Aug. 24, 2012) (to be codified at 48 C.F.R. pts. 4, 7, 12, 42, and 52).
This latest chapter in the evolving attempts to address the protection of nonpublic Government information arrived almost two and a half years after DoD published an Advance Notice of Proposed Rulemaking (ANPR) and notice of public meeting under Defense Federal Acquisition Regulation Supplement (DFARS) Case 2008-D028, 75 Fed. Reg. 9563 (Mar. 3, 2010). Public comments received during that ANPR effort, which addressed basic and enhanced safeguarding procedures for DoD unclassified information (including encryption and network intrusion protection requirements) were considered during the drafting of a proposed FAR rule under FAR case 2009-030, which focused on the basic safeguarding of unclassified Government information within contractor information systems. While the FAR Council agreed to a draft proposed FAR rule, it was never published. Instead, over a year ago, on June 29, 2011, FAR case 2009-030 was rolled into FAR case 2011-020, which is not limited to a single category of Government information (e.g. unclassified).
The new proposed rule is the result. It characterizes its provisions as an extension of the Federal Information Security Management Act of 2002 (FISMA) requirement for “Federal agencies to provide information security for information and information systems that support the operations and assets of the agency, including those managed by contractors.” 77 Fed. Reg. at 51497. The rule would add a new subpart at 4.17, Basic Safeguarding of Contractor Information Systems, and a new contract clause to address requirements for the basic safeguarding of contractor information systems that contain or process information provided by or generated for the Government (other than public information as defined at 44 U.S.C. 3502). Id.
The new subpart and clause would apply in all solicitations and contracts (including orders and those for commercial items and commercially available off-the-shelf items) “above the simplified acquisition threshold when the contractor or a subcontractor at any tier may have information residing in or transiting through its information system, where such information is provided by or generated for the Government (other than public information).” Id. If the contracting officer determines its inclusion is appropriate, the clause may also be applied in procurements under the simplified acquisition threshold. Id. The clause must be flowed down to subcontractors at all tiers “that may have information residing in or transiting through its information system, where such is provided by or generated for the Government (other than public information).” Id. at 51499.
In this regard, proposed FAR 4.1701 rule defines “Information” as meaning “any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.” Id. at 51497. The term, “Information System,” means “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” Id. “Public Information” is defined as “any information, regardless of form or format, that an agency discloses, disseminates, or makes available to the public.” Id.
The proposed clause establishes specific minimum “safeguarding requirements” contractors must apply to protect the subject information from unauthorized access and disclosure in a number of areas, including:
(1) Public computers and web sites;
(2) Transmitting electronic information;
(3) Transmitting voice and fax information;
(4) Physical and electronic barriers;
(6) Intrusion protection; and
(7) Transfer limitations.
Id. at 51499. However, these basic requirements are not dispositive. The clause is expressly subordinate to any other contract clauses or requirements that specifically address the safeguarding of information or information systems, which shall take precedence in the event they are inconsistent with the requirements of the clause. Id. For example, the basic requirements may be altered as necessary to align with any future direction given in connection with ongoing efforts to implement Executive Order 13556 of November 4, 2010, ``Controlled Unclassified Information,'' published in the Federal Register at 75 FR 68675, on November 9, 2010. Id. at 51497.
Interested parties may contribute to the ongoing saga by submitting written comments in response to FAR Case 2011-020 on or before October 23, 2012. See the above link to the Federal Register notice for more information about submitting comments.
Eric Whytsell is the attorney responsible for the content of this article.