Following lengthy wrangling, a change has been finalized to the Federal Acquisition Regulations that requires safeguards for government information stored on contractor IT systems.
The focus of the change moves FAR closer to the NIST Cybersecurity Framework, widely adopted in the private sector. The new rule applies to contractors who store, transmit and process federal data, and requires a basic level of safeguards and security for all nonpublic, government files.
“The final rule formalizes cybersecurity standards and poses compliance challenges to a broad range of contractors,” said Moshe Broder, attorney-at-law for Wiley Rein LLP who authored an analysis of the new regulations. “In the broader sense, the final rule is a reflection of the government’s ongoing efforts to strengthen cybersecurity and provide a baseline of protection for all contractors.”
Primarily, the rule change affects contractor IT systems as a whole as opposed to the information stored on them. So any computer network containing protected government data will need to comply with the new regulations.
Not every contractor that touches government data will be subject to the new rule. Only contractor systems with government data that is not meant for public release are affected by the change. Systems holding information that is deemed unclassified, or which will eventually be placed on a public network are exempt from the new FAR regulation.
When originally proposed, the change was to apply to all “government contract information,” which was defined as any information from the government not to be released to the public. However, after consultation with the National Archives and Records Administration, the requirements were shifted to the contractor systems themselves. According to the rule-making notice, this change was made to avoid drawing a distinction as to exactly which information needed safeguards, simplifying things so that contractors could straightforwardly apply the new cybersecurity standards to any of their systems that contained protected information.
NASA, the Department of Defense and the General Services Administration are scheduled to make this regulation mandatory for all applicable contractors on June 15. By that time, all contractors holding nonpublic government data are expected to have implemented the basic cybersecurity standards set out by the new rules. However, Broder predicted that with such a short time for implementation, some issues could still arise as contractors struggle with compliance.
“Because the final rule is effective in less than a month, contractors should not hesitate in ensuring that their information systems are compliant with its safeguarding requirements,” Broder said.
This change could have far reaching effects on many government contractors as they shift to meet the new standards within a relatively short deadline, observers warn. Contractors may need to set aside significant capital to invest in upgrades to their infrastructure or risk not being able to maintain their contracts.