FAR Rule 52.204-21 requires IT “safeguarding measures” for Primes and Subs.
A recent final ruling amending the Federal Acquisition Register (FAR clause 52.204-21) requires government contractors to apply “basic safeguarding measures” to their information systems as of June 15, 2016.
(NOTE. The TBS Enterprise Cloud's SOC2-audited IT controls meet and exceed all FAR 52.204-21 requirements.)
The rule is of particular importance for government contractors that choose to host their accounting, reporting, project collaboration, and other systems with Cloud Service Providers, where visibility into IT security controls and audit regimes is potentially limited.
Both prime contractors and subcontractors should be aware of the following key elements of FAR 52.204-21:
The rule is not focused on the protection of specific information, but instead on “contractor information systems” — any “information system owned and operated by a contractor that processes, stores, or transmits Federal contract information.”
The rule does not distinguish between types of information, and broadly outlines a basic set of protections for ALL federal contract information. Additional FAR rules then build upon 52.204-21 with requirements for controlled unclassified information (CUI) or more sensitive information.
Somewhat uniquely, contracting officers must make a determination on FAR rule 52.204-21 at contract award. Experts believe this will lead to the rule being broadly applied.
FAR 52.204.-21 imposes a reporting obligation on prime contractors and subcontractors when they discover “information system flaws,” including a mandate that primes and subcontractors prove their capacity to detect and report to customer agencies in a timely manner.
For organizations that host their accounting, reporting or project collaboration systems with Cloud Service Providers, increased visibility and understanding of these vendors’ security controls and audit scopes are required.
To verify whether your Cloud Provider meets FAR rule 52.204-21 requirements, keep in mind these 5 fundamentals of Cloud Security:
1. Your Cloud Provider’s hosting model defines their security model.
There are two basic Cloud hosting types — the “outsourced infrastructure model” and the “owner platform model.”
In the outsource model, Cloud providers rely upon third-party data center facilities or infrastructure services (like AWS) to manage hardware, application / database hosting and maintenance, and some system security, including physical access measures.
With the owner-platform model, Cloud providers own and operate their hardware and infrastructure, and have SINGULAR RESPONSIBILITY for security, including the delivery layer as well as operating systems, hosted applications and databases, and service and support functions.
2. The compliance regimes and audits held by third-party facilities or infrastructure services DO NOT ALSO COVER the Cloud Service Provider that has outsourced its hosting.
Just because a facility has an SOC2 Type II audit, does not mean the Cloud Service Provider utilizing that infrastructure is also audited for Cloud Security, Availability, Privacy, Confidentiality and Integrity, the AICPA’s “Trust Services Principles.”
Another example: Though outsourced infrastructure may meet ITAR compliance, the Cloud Service Provider that's reselling the infrastructure may NOT be staffed only by U.S. citizens, or only operate in the continental United States.
3. If your Cloud Service Provider uses subcontractors, those companies and individuals are NOT covered by the provider’s audit.
Subs must have their own audits covering FAR 52.204-21 “basic safeguarding measures” and more, and these audits must align with the Cloud Service Provider’s controls to complete assurance.
4. Cloud security should include data conversion and integration.
If you’re bringing data into a Cloud-based system or syncing Cloud data (accounting, contract, personnel, etc.) with a third-party product, pay special attention to your Cloud Provider’s integration methods and tools.
If the Cloud Provider utilizes external consultants and off-line utilities for data mapping or transformation, these activities fall outside of the provider’s security controls and audit reach, thereby compromising your safeguarding and reporting requirements under FAR 52.204-21.
5. Organizations utilizing Cloud Service Providers still maintain “Executive Responsibility” for secured system access.
To learn more about FAR 52.204-21 and Cloud Hosting and Security models, read or download the TBS whitepaper, FAR 52.204-21, SOC2 Security Controls and TBS Enterprise Cloud Hosting, or contact TBS at Info@TBS-llc.com or 703.444.6562 x1.