Basic Safeguarding of Contractor Information Systems

DoD, GSA, and NASA issued a final rule amending the Federal Acquisition Regulation (FAR) to add a new subpart and contract clause for the basic safeguarding of contractor information systems that process, store or transmit Federal contract information. The clause does not relieve the contractor of any other specific safeguarding requirement specified by Federal agencies and departments as it relates to covered contractor information systems generally or other Federal requirements for safeguarding Controlled Unclassified Information (CUI) as established by Executive Order (E.O.). Systems that contain classified information, or CUI such as personally identifiable information, require more than the basic level of protection.*

What does this mean for you as a federal contractor? It simply means that if you’re storing, transmitting or processing federal information (such as how you’re spending), you must take the proper precautions to ensure your information is secure. This may require some extra IT Support to make certain you’re compliant with the new regulation. Take a look at the basic safeguarding security controls imposed by the Final Rule:

1. Limit access to authorized users.
2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
3. Verify controls on connections to external information systems.
4. Impose controls on information that is posted or processed on publicly accessible information systems.
5. Identify information system users and processes acting on behalf of users or devices.
6. Authenticate or verify the identities of users, processes, and devices before allowing access to an information system.
7. Sanitize or destroy information system media containing Federal contract information before disposal, release, or reuse.
8. Limit physical access to information systems, equipment, and operating environments to authorized individuals.
9. Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices.
10. Monitor, control, and protect organizational communications at external boundaries and key internal boundaries of information systems.
11. Implement sub networks for publically accessible system components that are physically or logically separated from internal networks.
12. Identify, report, and correct information and information system flaws in a timely manner.
13. Provide protection from malicious code at appropriate locations within organizational information systems.
14. Update malicious code protection mechanisms when new releases are available.
15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

If you’re concerned about the safeguarding of your accounting system and/or wondering if it’s compliant with all aspects of the FAR, we can help!

Ready for a Risk & Compliance Analysis of your accounting system? Speak With A Government Funding Award Expert! 
Call Now: 781-862-5170 – or – Schedule A Call

*Federal Acquisition Regulation; Basic Safeguarding of Contractor Information Systems. 81 FR 30439