A new rule proposed for federal government
contractors will require that all federal contracts over $100,000
(including contracts for commercial items and those to small
businesses) will have to include a clause requiring the contractor
to implement basic data security protections for any
non-public data provided to the contractor by the federal
government or generated by the contractor for the government.
If the rule is adopted, it will require that any such non-public
information residing on or passing through a contractor's
information system be protected from unauthorized access and
disclosure. The Department of Defense, the General Services
Administration and the National Aeronautics and Space
Administration all recognize that an outgrowth of the requirements
for federal agencies to provide security for information and
information systems that support federal agency operations, as set
forth under the Federal Information Security Act of 2002,
includes the information and information systems managed by
Specific requirements include prohibitions on:
Processing government non-public information on public
computers (e.g., kiosks or hotel business centers), on computers
that lack access control or through web sites that lack user access
controls such as ID/passwords or user certificates;
Transmitting email, text messages or other communications of
government non-public information without using encryption and
other best practices to provide security and privacy;
Using voice or fax transmittal of government non-public
information unless the sender has a "reasonable
assurance" that access to the communication is limited to
Failing to protect government non-public information with both
physical and electronic barriers to access;
Failing to sanitize physical media (disk drives, CDs, flash
memory, etc.) of all government non-public information before
releasing or disposing of the media;
Failing to implement and maintain current releases of
anti-virus/antispyware software and failing to promptly apply
security-relevant operating system and application software
Transferring government non-public information to
subcontractors or other third-parties that are not contractually
bound to the contractor to implement these same protections.
Contractors whose work requires use of classified, sensitive,
personal or health related data have been subject to strict data
security requirements for many years. This is the first time
that a data security rule applicable to such a broad swath of
government contractors has been proposed. Its requirements
are relatively modest, reflecting a standard of care already common
in industry. It does emphasize that federal agencies are under
considerable Congressional pressure to reduce the government's
exposure to data security breaches through one of its most
vulnerable access points – the contractors agencies
employ to perform numerous functions requiring access to non-public
If this rule is made final and provisions are passed through to
government contracts, contractors of all sizes will need to
evaluate their information systems and written information security
programs in order to maintain compliance.
Comments on the proposed rule are being accepted through October
23, 2012 at www.regulations.gov (Cite FAR Case
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The National Institute of Standards and Technology has released the fourth revision of its standard-setting computer security guide, Special Publication 800-53 titled Security and Privacy Controls for Federal Information Systems and Organizations, and this marks a very important release in the world of data privacy controls and standards.
The obligations of hedge funds, investment managers and service providers to protect confidential information relating to investors and avoid breaches of data privacy legislation is increasingly in focus.
In a recently released decision from the U.S. District Court for the Southern District of Florida, Mais v. Gulf Coast Collection Bureau, et al., Judge Robert N. Scola, Jr., granted in part and denied in part cross motions for summary judgment in a putative class action before considering the issue of class certification.
The report also found that most utilities only comply with mandatory cybersecurity standards, and have not implemented voluntary NERC recommendations regarding general or specific threats (e.g., Stuxnet).