Heads UP! New Cybersecurity Requirements Now Apply to Civilian Government Contractors

Posted by: Peaktwo Developers July 15, 2016 Compliance, Cybersecurity

Government contractors that work with civilian agencies like NASA and the FAA, take note.  Perhaps you thought you escaped the cybersecurity compliance mandates being levied on your defense contractor brethren.  Not so fast.

A rule issued on May 16th creates a new Federal Acquisition Regulation (FAR) clause, FAR part 52.204-21, which applies to you.  The FAR clause defines a set of cybersecurity measures to help ensure basic safeguarding of federal contract information that is processed, stored, or transmitted by contractor systems.  Federal contract information is defined as any information provided by or generated for the Government under a contract that is not intended for public release.

If you think this sounds open-ended and wide-ranging, you’re right.  The Government adopted language by design to affect virtually every contractor and contract.

For now, civilian contractors must comply with 15 security controls ranging from identity authentication and system access control to information sharing and ongoing compliance assessments.  While that’s not as imposing as the challenge defense contractors face with the 109 security controls of NIST SP 800-171 incorporated by reference in the latest DFARS provisions, it’s no cakewalk.

Two other factors should raise the hair on the back of every civilian contractor’s neck:

  1. The FAR clause includes a flowdown provision. That means the cybersecurity requirements apply not only to the contractor, but also to all of its subcontractors and suppliers.  Confirming and monitoring compliance over time is a tall order, especially for multi-tiered supply chains comprising thousands of suppliers worldwide.
  2. The Government has made it clear that it is likely to add more controls in the future to preserve basic safeguarding of federal contract information as technology and cyber threats evolve.

While this all may sound daunting, it doesn’t have to be.  Exostar offers proven solutions that defense contractors are using today to comply with the more stringent DFARS provisions for cybersecurity.  Civilian contractors can immediately leverage those solutions to address the new FAR clause.  Even better, the solutions allow contractors to stay a step ahead of the game as the Government inevitably augments the FAR clause with more controls from NIST SP 800-171.