Federal Acquisition Regulation (FAR) 52.204-21
If you are new to Federal Acquisition Regulation (FAR) 52.204-21, it is a contract clause (52.204-21) to the FAR “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information."
FAR 52.204-21 imposes a set of fifteen (15) basic cybersecurity controls for contractor information systems upon which “Federal contract information” is stored, processed or transmitted. Federal contract information is defined as information provided by or generated for the Government under a contract to develop or deliver a product or service for the US Government. It is important to know that these requirements are expected to change shortly.
NIST 800-171 Implications for FAR 52.204-21
There are changes coming that will affect FAR 52.204-21 that are disclosed in NIST 800-171 (page v) that indicate FAR is going to adopt NIST 800-171 cybersecurity requirements to protect government data (e.g., Controlled Unclassified Information or Controlled Technical Information):
Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the Controlled Unclassified Information (CUI) Executive Agent designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA is issuing a final federal regulation in 2016 to establish the required controls and markings for CUI government-wide. This federal regulation, once enacted, will bind agencies throughout the executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program.
With regard to federal information systems, requirements in the federal regulation for protecting CUI at the moderate confidentiality impact level will be based on applicable policies established by OMB and applicable government-wide standards and guidelines issued by NIST. The regulation will not create these policies, standards, and guidelines which are already established by OMB and NIST. The regulation will, however, require adherence to the policies and use of the standards and guidelines in a consistent manner throughout the executive branch, thereby reducing current complexity for federal agencies and their nonfederal partners, including contractors.
In addition to defining safeguarding requirements for CUI within the federal government, NARA has taken steps to alleviate the potential impact of such requirements on nonfederal organizations by jointly developing with NIST, Special Publication 800-171 — and defining security requirements for protecting CUI in nonfederal systems and organizations. This approach will help nonfederal entities, including contractors, to comply with the security requirements using the systems and practices they already have in place, rather than trying to use government-specific approaches. It will also provide a standardized and uniform set of requirements for all CUI security needs, tailored to nonfederal systems, allowing nonfederal organizations to be in compliance with statutory and regulatory requirements, and to consistently implement safeguards for the protection of CUI.
Finally, NARA, in its capacity as the CUI Executive Agent, also plans to sponsor in 2017, a single Federal Acquisition Regulation (FAR) clause that will apply the requirements contained in the federal CUI regulation and Special Publication 800-171 to contractors. This will further promote standardization to benefit a substantial number of nonfederal organizations that are attempting to meet the current range and type of contract clauses, where differing requirements and conflicting guidance from federal agencies for the same information gives rise to confusion and inefficiencies. The CUI FAR clause will also address verification and compliance requirements for the security requirements in NIST Special Publication 800-171. Until the formal process of establishing such a FAR clause takes place, the requirements in NIST Special Publication 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements. If necessary, Special Publication 800-171 will be updated to remain consistent with the federal CUI regulation and the FAR clause.
In the end, this means that complying with the US Government's cybersecurity requirements is more than just the 15 basic controls currently listed in FAR 52.204-21. NIST 800-171 is already a requirement for DoD contractors and is expected to be a requirement for all US Government contractors within the next few years, so it is better to spend your efforts and resources on addressing NIST 800-171 requirements to stay ahead of your competitors.
FAR vs DFARS - ISO 27002, NIST Cybersecurity Framework or NIST 800-53 Frameworks - What Is The Best Approach?
The bottom line is that utilizing the NIST Cybersecurity Framework or ISO 27001/27002 as a security framework does not directly meet the requirements of NIST 800-171. In fact, NIST 800-171 (Appendix D) maps out how the CUI security requirements of NIST 800-171 relate to NIST 800-53 and ISO 27001/27002 security controls. This includes callouts where the ISO 27001/27002 framework does not fully satisfy the requirements of NIST 800-171.
Essentially, this means that only the NIST 800-53 framework is going to meet FAR requirements of NIST 800171 - ISO 27002 and the NIST Cybersecurity Framework are going to be insufficient in coverage.
Cost of Non-Compliance With FAR 52.204-21
What can possibly go wrong with non-compliance in a contract with the U.S. Government?
- Contract Termination. It is reasonably expected that the U.S. Government will terminate contracts with prime contractors over non-compliance with FAR requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant, as a whole.
- Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information.
- Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a FAR-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., FAR cybersecurity controls).
As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.
Affordable, Editable FAR 52.204-21 Compliance Documentation
ComplianceForge is a niche cybersecurity company that specializes in compliance-related documentation. We are a leading provider for FAR 52.204-21 compliance documentation, where we serve clients from small businesses through the Fortune 500 with our FAR 52.204-21 compliance products.
What Problem Does ComplianceForge Solve?
- Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive FAR 52.204-21 compliance documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. ComplianceForge offers FAR 52.204-21 documentation solutions that can save your organization significant time and money!
- Compliance Requirements - The reality of non-compliance with FAR 52.204-21 requirements means lost business and potential fines. In addition to losing contracts, charges of fraud may be leveled on companies that claim to be compliant with FAR 52.204-21 but cannot provide evidence. Our documentation can help you become and stay compliant with FAR 52.204-21 where you have documented evidence to prove it!
- Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. Our documentation provides mapping to NIST 800-53 and other leading security frameworks to show you exactly what is required to both stay secure and compliant. Being editable documentation, you are able to easily maintain it as your needs or technologies change.
How Does ComplianceForge Solve It?
- Clear Documentation - In an audit, clear and concise documentation is half the battle. ComplianceForge provides comprehensive documentation that can prove your FAR 52.204-21 compliant security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
- Time Savings - Time is money! Our cybersecurity documentation addresses DFARS and FAR requirements and this can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.
- Alignment With Leading Practices - We did the heavy lifting. Our documentation is mapped to the NIST 800-53, as well as other leading security frameworks!
Comprehensive FAR 52.204-21 Compliance Documentation
ComplianceForge has FAR 52.204-21 compliance documentation that applies if you are a prime or sub-contractor. These current, fifteen (15) basic cybersecurity requirements for FAR include:
- Limit access to authorized users.
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Verify controls on connections to external information systems.
- Impose controls on information that is posted or processed on publicly accessible information systems.
- Identify information system users and processes acting on behalf of users or devices.
- Authenticate or verify the identities of users, processes, and devices before allowing access to an information system.
- Sanitize or destroy information system media containing Federal contract information before disposal, release, or reuse.
- Limit physical access to information systems, equipment, and operating environments to authorized individuals.
- Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices.
- Monitor, control, and protect organizational communications at external boundaries and key internal boundaries of information systems.
- Implement sub networks for publicly accessible system components that are physically or logically separated from internal networks.
- Identify, report, and correct information and information system flaws in a timely manner.
- Provide protection from malicious code at appropriate locations within organizational information systems.
- Update malicious code protection mechanisms when new releases are available.
- Perform periodic scans of the information system and real-time scans of files from scans of files from external sources as files are downloaded, opened, or executed.
Is Your Organization "Audit Ready" for FAR 52.204-21?
When you "peel back the onion" and prepare for a FAR 52.204-21 audit, there is a need to address "the how" for certain topics. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW it gets done. We did the heavy lifting and created several program-level documents to address this need and they integrate with either the Written Information Security Program (WISP) or Digital Security Program (DSP) to provide your organization with a set of robust documentation to prepare for your audit.
One thing to keep in mind is that while the current requirements are quite basic, there is a a pending change with FAR to compel all US government contractors, not just DoD contractors, to comply with NIST 800-171.
Address FAR 52.204-21 Compliance With The NIST-based Written Information Security Program (WISP)
The NIST version of the Written Information Security Program (WISP) is a comprehensive set of IT security policies and standards that is based on the National Institute of Standards & Technology (NIST) 800-53 rev4 framework and it can help your organization become compliant with FAR 52.204-21 requirements
This NIST-based WISP is a comprehensive, customizable, easily-implemented Microsoft Word document that contains the NIST 800-53 rev4-based policies, control objectives, standards and guidelines that your company needs to establish a robust cybersecurity program. Being a Microsoft Word document, you have the ability to make edits to suit your company's specific needs.
NIST 800-53 is the de facto standard for cybersecurity requirements that is issued by the US government. Therefore, government agencies, defense contractors, telecom service providers, health care providers, financial companies or any organizations that contract with the government tend to adopt NIST-based best practices over all other frameworks, based on regulatory requirements.
You can see an example of the NIST 800-53 WISP here.