Guest Authors: Elizabeth Ferrell & Erin Sheppard, McKenna Long & Aldridge. Originally posted at http://www.mckennalong.com/publications-advisories-3064.html
On August 24, 2012, the Department of Defense (DoD), General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) issued a proposed rule requiring contractors to safeguard contractor information systems containing information provided by or generated for the government. Federal Acquisition Regulation, Basic Safeguarding of Contractor Information Systems, 77 Fed. Reg. 51496 (Aug. 24, 2012) (the “Proposed Rule”). The Proposed rule adds a new Federal Acquisition Regulation (FAR) subpart and contract clause that make basic information protection measures a contractual obligation. The Proposed Rule mandates basic protection measures on contractor information systems and contractors’ use of non-public government information aimed at deterring unauthorized disclosure, loss, or compromise of non-public Government information. Id. Prior to issuance of the Proposed Rule, the FAR did not specifically address the safeguarding of contractor information systems that contain or process non-public information provided by or generated for the government.
DoD, GSA, and NASA characterized the measure as an extension of Federal Agencies’ obligation under the Federal Information Security and Management Act of 2002 (FISMA) to secure information and information systems that support the agency, including information and information systems managed by contractors. 44 U.S.C. § 3544(a)(1)(A)(ii). The proposed FAR subpart 4.17—Basic Safeguarding of Contractor Information Systems will apply broadly to “all solicitations, contracts (including orders and those for commercial items and commercially available off-the-shelf items), when a contractor’s information system may contain information provided by or generated for the government (other than public information).” 77 Fed. Reg. 51498.
Under the proposed subpart 4.1703, contracting officers must insert a new clause, FAR 52.204-XX, Basic Safeguarding of Contractor Information Systems in any solicitation or contract under which the contractor or a subcontractor at any tier may have non-public information provided by or generated for the government residing in or transiting through its information system. Given the sweeping application of the Proposed Rule, nearly all government contractors who receive or generate such non-public information on behalf of the government will fall within the scope of the Proposed Rule. The Proposed Rule also requires contracting officers to ensure that the contractor has implemented the prescribed protective measures proscribed in the new FAR clause as part of the FAR subpart 42.302(a) contract administration function. 77 Fed. Reg. 51498
The proposed FAR clause imposes substantive safeguarding requirements and requires contractors to adopt certain security procedures in seven different areas:
- Protecting Information on public computers or Web sites: Prohibits contractors from processing non-public information provided by or generated for the government on public computers or computers that do not have access control; also prohibits contractors from posting such information on publically available web sites and requires contractors to use access control for such web sites;
- Transmission of electronic information: Requires contractors to transmit e-mail, text messages, blogs and other electronic transmissions using “the best level of security and privacy available, given facilities, conditions, and environment”;
- Voice and fax transmission: Limits contractors’ use of voice or fax transmission of information provided by or generated for the government to situations in which “the sender has a reasonable assurance that access is limited to authorized recipients”;
- Physical and electronic barriers: Requires contractors to utilize at least one layer of physical protection (such as a locked container/room or login and password) to protect information provided by or generated for the government when not under direct individual control;
- Media Sanitization: Requires contractors to clear information on media used to process government information (other than public information) before external release or disposal;
- Intrusion protection: Mandates that contractors utilize minimum protections against computer intrusions and data compromise such as (1) current and regularly updated malware protection services, and (2) prompt application of security-relevant patches, service packs, and hot-fixes;
- Transfer limitations: Limits prime contractors’ ability to transfer information provided by or generated for the government to subcontractors. Specifically, contractors may only transfer information to subcontractors that (1) require the information and (2) provide the same level of security required by this clause.
The proposed clause also requires contractors to include these requirements in any subcontracts under which the subcontractor may have information provided by or prepared for the government (excluding public information) residing in or transiting through its information systems.
The proposed clause expressly states that the basic requirements imposed are subordinate to any other contract clauses or requirements that specifically address the safeguarding of information systems. The Proposed Rule also provides that the rule is related to other pending rules but does not duplicate, overlap, or conflict with: FAR Case 2011-001, Organizational Conflict of Interest and Contractor Access to Nonpublic information; and FAR Case 2011-010, Sharing Cyber Threat Information. 77 Fed Reg. 51497. This express subordination appears to contemplate the imposition of additional, heightened security requirements on certain categories of contractors and/or Government information.
Though the individual requirements may not appear independently burdensome, taken together, the Proposed Rule imposes yet another layer of compliance obligations on government contractors that will require coordination amongst contractors, contractor employees, subcontract administrators, and information technology specialists to ensure compliance with the Proposed Rule’s safeguarding requirements. For example, certain of the requirements are fairly ambiguous, such as the use of “the best level of security and privacy available, given facilities, conditions, and environment” that may be subject to diverse ranges of interpretation and may give rise to contract disputes. Likewise, contractors and contracting officers may have differing views regarding what constitutes “reasonable assurance” that access to voice and fax transmission will be limited to authorized recipients. These uncertainties could also be particularly difficult for prime contractors to enforce and monitor for subcontractors at any tier. Given the uncertainties surrounding the Proposed Rule, affected contractors should consider submitting comments on the Proposed Rule on or before the October 23, 2012 deadline.