Federal Acquisition Regulation Outlines Security Standards for Government Contractors
As government spending on private-sector contracting has risen, predatory cybercriminals are increasingly going after contractors whose cybersecurity safeguards aren’t up to par with federally-mandated requirements. To prevent these types of situations from happening, U.S. Congress passed the Federal Acquisition Regulation (FAR) to provide executive branch agencies more guidance regarding how to address their relationships with private-sector contractors. Given increased data security expectations from agencies regarding their contractors’ data security compliance abilities, contractors will need to implement FAR in order to be competitive when bidding for government contractor work.
FAR 52.204-21 describes the baseline security considerations contractors working with government agencies will need to implement in order to work on outsourced government projects. FAR specifically protects all federal, nonpublic, and non-transactional information that either the government provides or the contractor creates during the course of a government-commissioned project. To ensure compliance, contractors will need to account for fifteen different data security factors—including access controls, data retention procedures, and auditing—when storing this data. In terms of access controls, contractors will need to restrict access to information systems containing government agency data to only authorized users and devices; restrict the types of activities, commands, and transactions that can be performed on those systems; and implement verification procedures and controls to restrict access to systems containing government data by external systems. These access controls not only pertain to your IT infrastructure, but to your physical and on-site security measures. Under FAR, contractors are required to accompany visitors, keep audit logs of their activities, control physical access devices, and supervise organizational communications.
FAR also requires contractors to routinely examine their IT systems for potential cybersecurity shortcomings and take immediate steps to patch them. As part of this, contractors will need to supervise and secure organizational communications and intersystem transmissions, report system vulnerabilities to their agency contacts, and incorporate subnetworks to ensure that federal contract data isn’t exposed on public networks. FAR additionally mandates contractors to implement targeted solutions for warding off malicious code in systems where government data is stored, and to automate security updates as they become available.
It’s important to note that FAR only sets baseline recommendations for federal agencies to enforce on their independent contractors. Agencies are free to expound upon these baseline considerations and require more stringent security requirements tied to the types of data they’re working with. DFARS—the Defense Federal Acquisition Regulation Supplement—is one example of this, as it requires Department of Defense contractors to adopt NIST 800-171’s data security recommendations and incorporate various cyber incident reporting, malicious software isolation, and related tasks when tracking and reporting cyber incidents. Many of the major executive branch departments—including the Departments of the Army, Interior, Navy, Treasury, State, and Homeland Security—all have their own individual FAR subchapters. You can find a full list of the various FAR subchapters that could apply to private-sector contractors here.
AbacusNext’s virtual cloud hosting platform, Abacus Private Cloud, features the protections and support team necessary for you to safely work with government agency data. Our platform allows you to incorporate robust access controls, 2FA, 256-bit AES encryption, SSL-A-rated international servers, and three layers of physical, server, and data security to manage your government information anywhere on any device.