Proposed FAR Rule Requires a Broad Universe of Government Contractors to Safeguard Contractor Information Systems

August 27, 2012

On August 24, 2012, the Department of Defense (DoD), General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) issued a proposed rule requiring contractors to safeguard contractor information systems containing information provided by or generated for the government.  Federal Acquisition Regulation, Basic Safeguarding of Contractor Information Systems, 77 Fed. Reg. 51496 (Aug. 24, 2012) (the “Proposed Rule”). The Proposed rule adds a new Federal Acquisition Regulation (FAR) subpart and contract clause that make basic information protection measures a contractual obligation.  The Proposed Rule mandates basic protection measures on contractor information systems and contractors’ use of non-public government information aimed at deterring unauthorized disclosure, loss, or compromise of non-public Government information.  Id.  Prior to issuance of the Proposed Rule, the FAR did not specifically address the safeguarding of contractor information systems that contain or process non-public information provided by or generated for the government. 

DoD, GSA, and NASA characterized the measure as an extension of Federal Agencies’ obligation under the Federal Information Security and Management Act of 2002 (FISMA) to secure information and information systems that support the agency, including information and information systems managed by contractors.  44 U.S.C. § 3544(a)(1)(A)(ii).  The proposed FAR subpart 4.17—Basic Safeguarding of Contractor Information Systems will apply broadly to “all solicitations, contracts (including orders and those for commercial items and commercially available off-the-shelf items), when a contractor’s information system may contain information provided by or generated for the government (other than public information).”  77 Fed. Reg. 51498.

Under the proposed subpart 4.1703, contracting officers must insert a new clause, FAR 52.204-XX, Basic Safeguarding of Contractor Information Systems in any solicitation or contract under which the contractor or a subcontractor at any tier may have non-public information provided by or generated for the government residing in or transiting through its information system.  Given the sweeping application of the Proposed Rule, nearly all government contractors who receive or generate such non-public information on behalf of the government will fall within the scope of the Proposed Rule.  The Proposed Rule also requires contracting officers to ensure that the contractor has implemented the prescribed protective measures proscribed in the new FAR clause as part of the FAR subpart 42.302(a) contract administration function.  77 Fed. Reg. 51498

The proposed FAR clause imposes substantive safeguarding requirements and requires contractors to adopt certain security procedures in seven different areas:

The proposed clause also requires contractors to include these requirements in any subcontracts under which the subcontractor may have information provided by or prepared for the government (excluding public information) residing in or transiting through its information systems.

The proposed clause expressly states that the basic requirements imposed are subordinate to any other contract clauses or requirements that specifically address the safeguarding of information systems.  The Proposed Rule also provides that the rule is related to other pending rules but does not duplicate, overlap, or conflict with:  FAR Case 2011-001, Organizational Conflict of Interest and Contractor Access to Nonpublic information; and FAR Case 2011-010, Sharing Cyber Threat Information.  77 Fed Reg. 51497.  This express subordination appears to contemplate the imposition of additional, heightened security requirements on certain categories of contractors and/or Government information.

Though the individual requirements may not appear independently burdensome, taken together, the Proposed Rule imposes yet another layer of compliance obligations on government contractors that will require coordination amongst contractors, contractor employees, subcontract administrators, and information technology specialists to ensure compliance with the Proposed Rule’s safeguarding requirements.  For example, certain of the requirements are fairly ambiguous, such as the use of “the best level of security and privacy available, given facilities, conditions, and environment” that may be subject to diverse ranges of interpretation and may give rise to contract disputes.  Likewise, contractors and contracting officers may have differing views regarding what constitutes “reasonable assurance” that access to voice and fax transmission will be limited to authorized recipients.  These uncertainties could also be particularly difficult for prime contractors to enforce and monitor for subcontractors at any tier.  Given the uncertainties surrounding the Proposed Rule, affected contractors should consider submitting comments on the Proposed Rule on or before the October 23, 2012 deadline. 

Print PDF