FAR 52.204-21 and the Future of Federal Cybersecurity Enforcement

FAR 52.204-21 and Federal Cybersecurity Standards 

In 2016 the Department of Defense, NASA and the GSA published FAR contract clause 52.204-21 that provided minimum standards for cybersecurity for all contractors dealing with the federal government.  The regulation applies to all ‘covered contractor information systems’ that process, store or transmit ‘Federal contract information.’

This clause will eventually (probably sooner than later) appear in all Federal contracts.  So the time to get on board with this new data security regime is now.

FAR 52.204-21 puts in place 15 security controls for contractors:

  • Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  • Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  • Verify and control/limit connections to, and use of, external information systems.
  • Control information posted or processed on publicly accessible information systems.
  • Identify information system users, processes acting on behalf of users, or devices.
  • Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  • Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
  • Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  • Escort visitors and monitor visitor activity, maintain audit logs of physical access, and control and manage physical access devices.
  • Monitor, control, and protect organizational communications (e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
  • Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  • Identify, report, and correct information and information system flaws in a timely manner.
  • Provide protection from malicious code at appropriate locations within organizational information systems.
  • Update malicious code protection mechanisms when new releases are available.
  • Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

The Minimum Cybersecurity Regulations, for Now

It’s important to remember that these are the minimum standards that all federal contractors should be adhering to now.  They do not replace other, more specific and strenuous cybersecurity standards that may apply to your business–such as DFARS 252.204-7012 for defense contractors.  It’s  important to note that FAR 52.204-21 also ‘flows down’ to subcontractors as well that are handling federal contract information.

Implementing the basic cybersecurity protocols listed in FAR 52.204-21 will help protect contractors against government enforcement actions including False Claims Act investigations and penalties.  It’s a prudent first-step to take, as more cybersecurity requirements will almost undoubtedly follow.