The U.S. Department of Defense (DOD), General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) on August 24, 2012, proposed amendments to the Federal Acquisition Regulation – the rules governing the process through which the government purchases goods and services – addressing data security.
In short, the proposed rule would add a required contract clause for federal contractors to “address requirements for the basic safeguarding of contractor information systems” containing or processing government information. DoD, GSA, and NASA all recognize that an outgrowth of the requirements for Federal agencies to provide information security for information and information systems that support agency operations and assets, as set forth under the Federal Information Security Management Act (FISMA) of 2002, includes the information and information systems managed by contractors.
The rule would apply to information provided by or generated for the Government that will be contained in or processed through a contractor’s or subcontractor’s information system. Basic safeguarding of such systems would include:
- Protecting information on public computers or web sites;
- Transmitting electronic information using technology and processes that provide the best level of security and privacy;
- Transmitting voice and fax information only with reasonable assurances that access is limited to authorized recipients;
- Protect information by at least one physical or electronic barrier;
- Sanitize media in accordance with the National Institute of Standards and Technology (NIST) before external release or disposal;
- Provide protection against computer intrusions and the unauthorized release of data including current and regularly updated malware protection services and security-relevant software upgrades.
Additionally, contractors would be required to include the substance of the contract clause in all subcontracts for subcontractors who may have information subject to the rule residing in or transiting through the subcontractors’ information systems.
Federal contractors will need to reevaluate their information systems and written information security programs (WISPs) if this rule is made final and such provisions are added to their contracts.