On August 24, 2012, the Department of Defense, the General Services Administration, and the National Aeronautics and Space Administration (“FAR Council”) issued a Proposed Rule that would require contractors to implement basic safeguards for their information systems to protect non-public information and data of the federal government provided by or generated for the government (“Government Information”). The Proposed Rule adopts most of the “basic” requirements from the Advance Notice of Proposed Rulemaking issued by the Department of Defense on March 3, 2012.
The Proposed Rule requires contractors to implement the following safeguards to protect Government Information:
• Implementing access controls for Government Information on public computers (e.g., computers available at kiosks and hotel business centers) and prohibiting Government Information from being posted on websites that are publicly accessible unless it has access controls in place beyond domain/Internet Protocol restrictions (e.g., ID/passwords or user certificates);
• Using the best level of security and privacy available before transmitting Government Information by e-mail, text message, blogs, or similar communications;
• Ensuring the sender of a voicemail or fax that includes Government Information has reasonable assurance that access is limited to authorized recipients;
• Protecting Government Information by at least one physical and one electronic barrier (e.g., locked container room, login and password) when not under direct individual control;
• Sanitizing or overwriting, in accordance with specified standards, Government Information on media that has been used to process Government Information before external release or disposal;
• Providing updated malware protective services (e.g., anti-virus and anti-spyware) and prompt application security-relevant protection services (e.g., patches, service packs, and hot fixes) to protect against computer intrusions and data compromise; and
• Only transferring Government Information to subcontractors that (1) require the Government Information for contractual performance purposes; and (2) provide at least the same level of security as required by the Proposed Rule.
These are only the basic requirements for contractors to safeguard Government Information. Contractors may be required to follow more stringent requirements imposed by their particular contracts.
These requirements would apply to all solicitation and contracts, including contracts for commercial items and COTS items, if their information systems contain Government Information. The Proposed Rule would also require prime contractors to flow these requirements down to all subcontractors that may or will have Government Information residing in or transmitted through their information systems.
Interested parties will have until October 23, 2012 to submit comments on the Proposed Rule.