Many contractors we talk to believe that cybersecurity requirements are exclusively a concern of contractors working with DoD or with highly-classified, top secret projects. While perhaps true to some degree in the past, that belief is now outdated. In recent years, the federal government has steadily expanded the reach of cybersecurity requirements imposed on contractors and contracts of all shapes and sizes, and that trend is expected to continue.
As an example, one year ago this month the government implemented a new FAR clause, FAR 52.204-21, entitled “Basic Safeguarding of Covered Contractor Information Systems.” This clause, which went into effect on May 16, 2016, brings basic cybersecurity requirements to many federal contracts. The clause is supposed to be inserted in every solicitation and contract where a contractor or subcontractor at any tier may have federal contract information (FCI) residing in or transitioning through its information system.
FCI is broadly defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public.”
Prime contractors are also expected to flow down the clause to subcontracts at all tiers that may have FCI in their systems, including subcontracts for commercial items (but not subcontracts for commercial off-the-shelf items).
Keep reading this article at: http://www.mondaq.com/article.asp?articleid=602460
Note: Georgia Tech is sponsoring a free cybersecurity briefing on Aug. 9, 2017. For details, visit: http://gtpac.org/2017/06/30/georgia-tech-sponsors-cybersecurity-briefing-in-august-for-manufacturers/
