Introduction

The U.S. government requires safeguarding of Federal Contract Information (FCI) under FAR 52.204-21. Additionally, Controlled Unclassified Information (CUI) must be safeguarded under FAR supplements, such as DFARS 252.204-7012 for the U.S. Department of Defense.

Applicability

FAR (and FAR supplements, e.g. DFARS) apply to organizations engaging in certain commercial activities with the federal government, as well as to sub-contractors through “pass-down” obligations from prime contractors.

  • FCI is information not intended for public release provided by or generated for the government under a contract to develop or deliver a product or service to the government.
  • CUI is information created for or on behalf of the government that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies.

Compliance Tip: Even if a certain safeguarding clause is not explicitly stated in a federal contract or solicitation, if the requirement is a significant or deeply ingrained policy, then it may be deemed “read” into a federal contract by operation of law pursuant to the Christian Doctrine (see G.L. Christian and Associates v. United States, 312 F.2d 418 (Ct. Cl. 1963)) , and the contractor’s knowledge of and compliance with the obligation is nonetheless expected.

Requirements

FAR 52.204-21 requires safeguarding FCI through measures or controls prescribed to protect information systems including, at a minimum:

  1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify and control/limit connections to and use of external information systems.
  4. Control information posted or processed on publicly accessible information systems.
  5. Identify information system users, processes acting on behalf of users, or devices.
  6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
  8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
  10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
  11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

DFARS 252.204-7012 requires safeguarding CUI consistent with NIST SP 800-171 Rev. 2 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations), which specifies 110 controls across 14 control families, identified as follows:

  1. Access Control 
  2. Awareness and Training
  3. Audit and Accountability
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Personnel Security
  10. Physical Protection
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

Compliance Tip: Additional derivative requirements to NIST SP 800-171 are described in Appendix D.

As part of compliance, an organization must have a written System Security Plan (SSP) that describes implementation of the 110 controls. The lack of an SSP precludes the completion of an assessment and scoring.

Compliance Tip: DFARS Interim Rule issued September 2020 requires defense contractors to submit a Department of Defense Assessment Methodology (DoDAM) score of their compliance to NIST SP 800-171 to SPRS in order to qualify for new contracts after November 30, 2020.

Enforcement & Liability

Federal agencies are responsible for ensuring compliance with contractor safeguarding obligations. The U.S. Department of Defense verifies contractor compliance with DFARS 252.204-7012 and conducts assessments in its discretion. The Department of Justice can bring civil actions under the False Claims Act against contractors who violate contractual obligations.

Compliance Tip: By invoicing the U.S. government on a federal contract, the contractor attests that it is in compliance with all contract requirements. Failure to be in compliance with all contract requirements may constitute a violation of the False Claims Act (see United States v. Aerojet Rocketdyne Holdings, Inc., 381 F. Supp. 3d 1240 (E.D. Cal. 2019)).

Penalties

As of June 19, 2020, penalties for violating the False Claims Act were increased to a minimum penalty of $11,665 and a maximum penalty $23,331 for a single violation.