Federal Acquisition Regulation (FAR) 52.204-21
If you are new to Federal Acquisition Regulation (FAR) 52.204-21, it is a contract clause (52.204-21) to the FAR “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information."
FAR 52.204-21 imposes a set of fifteen (15) basic cybersecurity controls for contractor information systems upon which “Federal contract information” is stored, processed or transmitted. Federal contract information is defined as information provided by or generated for the Government under a contract to develop or deliver a product or service for the US Government. These FAR cybersecurity controls also form the basis for the Cybersecurity Maturity Model Certification (CMMC) Level 1 that is focused on protecting Federal Contract Information (FCI) and Covered Contractor Information Systems (CCIS).
NIST 800-171 & CMMC Compliance Implications for FAR 52.204-21
There are changes coming that will affect FAR 52.204-21 that are disclosed in NIST 800-171 (page v) that indicate FAR is going to adopt NIST 800-171 cybersecurity requirements to protect government data (e.g., Controlled Unclassified Information or Controlled Technical Information). In the end, this means that complying with the US Government's cybersecurity requirements will be considerably more than just the 15 basic controls currently listed in FAR 52.204-21.
The Department of Defense (DoD) states in the CMMC Model Main document that Level 1 organizations "may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1." This makes it appear that Level 1 organizations have no documentation requirements. However, that is actually incorrect when you look at how Level 1 organizations are focused on protecting Federal Contract Information (FCI) and Covered Contractor Information Systems (CCIS).
FAR 52.204-21 specifically calls out in section (b)(1) that contractors “shall apply the following basic safeguarding requirements and procedures to protect CCIS” in regards to the fifteen FAR cybersecurity requirements that form the basis for CMMC Level 1 practices. Given the underlying FAR requirements for Level 1 CMMC organizations, FAR 52.204-21(b)(1) calls out the need for:
- Procedures; and
- Applying the requirements.
In practical terms, this means in order to comply with FAR 52.204-21, any organization going through a Level 1 CMMC assessment is reasonably-expected to have documented policies, standards and procedures that document how the FAR requirements are implemented. Without documented evidence of due care and due diligence, the contractor could be considered negligent and could be within scope for a False Claims Act (FCA) violation.
FAR vs DFARS - ISO 27002, NIST Cybersecurity Framework or NIST 800-53 Frameworks - What Is The Best Approach?
The bottom line is that utilizing the NIST Cybersecurity Framework or ISO 27001/27002 as a security framework does not directly meet the requirements of NIST 800-171. In fact, NIST 800-171 (Appendix D) maps out how the CUI security requirements of NIST 800-171 relate to NIST 800-53 and ISO 27001/27002 security controls. This includes callouts where the ISO 27001/27002 framework does not fully satisfy the requirements of NIST 800-171.
Essentially, this means that only the NIST 800-53 framework is going to meet FAR requirements of NIST 800171 - ISO 27002 and the NIST Cybersecurity Framework are going to be insufficient in coverage.
Cost of Non-Compliance With FAR 52.204-21
What can possibly go wrong with non-compliance in a contract with the U.S. Government?
- Contract Termination. It is reasonably expected that the U.S. Government will terminate contracts with prime contractors over non-compliance with FAR requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant, as a whole.
- Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information.
- Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a FAR-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., FAR cybersecurity controls).
As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.
Affordable, Editable FAR 52.204-21 Compliance Documentation
ComplianceForge is a niche cybersecurity company that specializes in compliance-related documentation. We are a leading provider for FAR 52.204-21 compliance documentation, where we serve clients from small businesses through the Fortune 500 with our FAR 52.204-21 compliance products.
What Problem Does ComplianceForge Solve?
- Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive FAR 52.204-21 compliance documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. ComplianceForge offers FAR 52.204-21 documentation solutions that can save your organization significant time and money!
- Compliance Requirements - The reality of non-compliance with FAR 52.204-21 requirements means lost business and potential fines. In addition to losing contracts, charges of fraud may be leveled on companies that claim to be compliant with FAR 52.204-21 but cannot provide evidence. Our documentation can help you become and stay compliant with FAR 52.204-21 where you have documented evidence to prove it!
- Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. Our documentation provides mapping to NIST 800-53 and other leading security frameworks to show you exactly what is required to both stay secure and compliant. Being editable documentation, you are able to easily maintain it as your needs or technologies change.
How Does ComplianceForge Solve It?
- Clear Documentation - In an audit, clear and concise documentation is half the battle. ComplianceForge provides comprehensive documentation that can prove your FAR 52.204-21 compliant security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
- Time Savings - Time is money! Our cybersecurity documentation addresses DFARS and FAR requirements and this can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.
- Alignment With Leading Practices - We did the heavy lifting. Our documentation is mapped to the NIST 800-53, as well as other leading security frameworks!
Comprehensive FAR 52.204-21 Compliance Documentation
ComplianceForge has FAR 52.204-21 compliance documentation that applies if you are a prime or sub-contractor. These current, fifteen (15) basic cybersecurity requirements for FAR include:
- Limit access to authorized users.
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Verify controls on connections to external information systems.
- Impose controls on information that is posted or processed on publicly accessible information systems.
- Identify information system users and processes acting on behalf of users or devices.
- Authenticate or verify the identities of users, processes, and devices before allowing access to an information system.
- Sanitize or destroy information system media containing Federal contract information before disposal, release, or reuse.
- Limit physical access to information systems, equipment, and operating environments to authorized individuals.
- Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices.
- Monitor, control, and protect organizational communications at external boundaries and key internal boundaries of information systems.
- Implement sub networks for publicly accessible system components that are physically or logically separated from internal networks.
- Identify, report, and correct information and information system flaws in a timely manner.
- Provide protection from malicious code at appropriate locations within organizational information systems.
- Update malicious code protection mechanisms when new releases are available.
- Perform periodic scans of the information system and real-time scans of files from scans of files from external sources as files are downloaded, opened, or executed.
Is Your Organization "Audit Ready" for FAR 52.204-21?
When you "peel back the onion" and prepare for a FAR 52.204-21 audit, there is a need to address "the how" for certain topics. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW it gets done. We did the heavy lifting and created several program-level documents to address this need and they integrate with either the Written Information Security Program (WISP) or Digital Security Program (DSP) to provide your organization with a set of robust documentation to prepare for your audit.
One thing to keep in mind is that while the current requirements are quite basic, there is a a pending change with FAR to compel all US government contractors, not just DoD contractors, to comply with NIST 800-171.
Address FAR 52.204-21 Compliance With The NIST-based Written Information Security Program (WISP)
The NIST version of the Written Information Security Program (WISP) is a comprehensive set of IT security policies and standards that is based on the National Institute of Standards & Technology (NIST) 800-53 rev4 framework and it can help your organization become compliant with FAR 52.204-21 requirements
This NIST-based WISP is a comprehensive, customizable, easily-implemented Microsoft Word document that contains the NIST 800-53 rev4-based policies, control objectives, standards and guidelines that your company needs to establish a robust cybersecurity program. Being a Microsoft Word document, you have the ability to make edits to suit your company's specific needs.
NIST 800-53 is the de facto standard for cybersecurity requirements that is issued by the US government. Therefore, government agencies, defense contractors, telecom service providers, health care providers, financial companies or any organizations that contract with the government tend to adopt NIST-based best practices over all other frameworks, based on regulatory requirements.
You can see an example of the NIST 800-53 WISP here.