By: s.m.amend | April 09, 2017

Effective June 15, 2016, the DoD, GSA, and NASA issued a final rule “amending the Federal Acquisition Regulation (FAR) to add a new subpart and contract clause for the basic safeguarding of contractor information systems that process, store or transmit Federal contract information.” (

The new subpart FAR 4.19, Basic Safeguarding of Covered Contractor Information Systems, includes contract clause 52.204-21.  The rule is mandatory, and effective immediately upon contract award or contract modification execution. notes that the clause, “Does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI)”. 

The clause states that contractors must perform basic protection requirements to ensure data integrity and confidentiality, and identifies 15 security measures for safeguarding a covered contractor information system:

(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

(iii) Verify and control/limit connections to and use of external information systems.

(iv) Control information posted or processed on publicly accessible information systems.

(v) Identify information system users, processes acting on behalf of users, or devices.

(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

(x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

(xii) Identify, report, and correct information and information system flaws in a timely manner.

(xiii) Provide protection from malicious code at appropriate locations within organizational information systems.

(xiv) Update malicious code protection mechanisms when new releases are available.

(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Arrowhead encourages government contract holders to read your contracts thoroughly when evaluating your compliance posture with 52.204-21.  In doing so, it is helpful to understand the differences between relevant National Institute of Standards and Technology publications NIST 800-53 and NIST 800-171.

NIST 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, is the older of the two publications that discusses the security of federal information systems.  Unless you are a contractor operating a federal information system on behalf of the government, it probably does not apply to you. To be certain, check to see if 800-53 compliance is included into your contract clauses. 

NIST 800-171, Protecting Uncontrolled Classified Information in Nonfederal Information Systems and Organizations, is used when CUI is resident in non-federal information systems and organizations.  The NIST 800-171 publication condenses some of the 800-53 compliance points and is intended for use by federal agencies with recommended standards for protecting the confidentiality of Controlled Unclassified Information.  The requirements apply only to components of nonfederal information systems that process, store, or transmit CUI, or provide security protection for those components when the information systems where the CUI resides are not operated by organizations on behalf of the federal government. (Source: NCMA).

Contractors must implement security requirements in NIST 800-171 no later than December 31, 2017.

Further, contractors must include a paragraph referencing the clause in their subcontracts where the sub may have Federal contract information “residing in” or “transiting through its information system.” 

For more information on this topic, call Arrowhead Solutions to see how we can help you with your government contract compliance needs. 


Be the first to comment ...

Post a Comment


wrap rates

government accounting

government contracting

what is a wrap rate?

indirect rates

competitive wrap rate

wrap rates in government contracting


Government Marketing


GSA Schedule


Federal government contracting opportunities







Winning Government Contracts

DCAA Audit

Government Accounting Compliance


Navy SeaPort-e

SeaPort-e rolling admissions

business development for government contractors



GSA Compliance

trends in government contracting

Professional Services Schedule (PSS)

Commercialization Assistance

Technical Commercialization Assistance

SBIR Commercialization Assistance

SBIR Technical Commercialization Assistance




small business construction contractors

Federal government contracting


Better Buying Power 3.0

SBIR 15.2


Government Opportunities for Fiscal 2015

DoD 2015.3 SBIR Solicitation

DoD SBIR/STTR Solicitation

DoD 2015.C STTR Solicitation


Department of Energy SBIR

sbir topics

sbir funding

air force sbir

air force sbir topics

air force sbir early release

sbir release dates

sbir funding opportunities

dod sbir

doe sbir

doc sbir

noaa sbir

epa sbir

nasa sbir

sbir training

training for government contractors

sbir class

learn about sbir

basics of government contracting

webinar training for government contractors

sbir phase 1

sttr phase 1

sbir grants. sbir funding

Federal government opportunities


government subcontracting

training for government subcontractors


nasa niac


nasa technology funding

Arrowhead Solutions






Service Contract Act






NIST 800-171

52 204-21



FAR 4 19