On May 16, 2016 the Federal Government mandated that Contractors protect their systems with 15 security controls. This federal acquisition regulation clause is known as FAR 52.204-21 “Basic Safeguarding of Covered Contractor Information Systems”. An information system is a “discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” This includes computers, networks, printers, digital, non-digital media etc. A covered contractor information system is any information system that processes, stores, or transmits federal contract information. For most small and medium sized companies this will likely encompass all of their IT systems.
The 15 Security Controls Explained in Plain English
Toggle the below buttons to view explanations for each control.
In short, people that are not supposed to access your system’s should be prevented from doing so, allowing only access to authorized individuals with a business need. As a result, this control requires that you have formal processes in place to authorize and document access to your systems and that the access is controlled via an authentication mechanism (i.e. passwords).
This control deals with enforcing the concept of “separation of duties”. User’s should only be able to access systems and information required for them to complete their assigned tasks. This can be accomplished with role based access controls.
This control deals with limiting employee use of non-corporate controlled systems such as personal devices, personal cloud storage, or computers at a hotel because you can not verify the security state of those systems and do not have control over the data stored on them. You should not allow contract information on systems you do not control.
This control is pretty straight forward, federal contract information that has not been released to the public by the government should not be stored in any location accessible by the general public. This includes your website, social media, or any other public medium. Policies should be in place to prevent federal contract information from being posted publicly.
In short, accounts used on your systems should be traceable to the person using them. So an account used by John Doe should be named jdoe or John.Doe not Surfer1985. This is especially important if you need to trace back an event to a user when examining audit logs. In some cases shared or service accounts with a non identifying name such as “backupservice” may be necessary, these should be well documented and controlled.
This control seeks to ensure that the subject accessing your system is actually who they claim to be. For example, there may be an account named jdoe but if the password is “1234” then there is no guarantee that John Doe has actually logged in. This is best accomplished by having robust account provisioning and password reset procedures as well as a strong password policy. Two factor authentication (not required for FAR 52.204-21 as of the writing of this guide) is also an excellent way of accomplishing this.
This is another straight forward one, before disposing or releasing media from your control it should be sanitized or destroyed so that it is not recoverable by unauthorized persons. Media includes non-digital (paper, notebooks) and digital (i.e. thumb drives, hard disks, tape drives).
Physical access to designated areas should be restricted (i.e. locked doors, locked cabinets) to authorized persons and the authorized persons should be identifiable (i.e. ID Card/badge) and documented.
Visitors should be escorted in sensitive areas where federal contract information is stored, a visitor sign in and exit sheet should be maintained. Proximity cards or other keys should be managed and updated to reflect changes in personnel access.
This one is a bit wordy and seems complicated but it is essentially talking about maintaining firewalls and intrusion detection systems between your internal networks and the internet. You need to establish what the boundary of your information system is to properly implement this control.
This control mandates that you implement what is known as a DMZ (Demilitarized Zone) to prevent traffic from the internet from reaching your internal network. Public facing systems should be placed in the DMZ and separated from your internal network either physically or via a firewall.
This control requires that you patch vulnerabilities on your systems in accordance with your configuration management policies and procedures. Patching vulnerabilities should be done relatively quickly to avoid an attacker exploiting them.
This control requires that you maintain anti malware software on your systems. The phrase “appropriate locations” gives you an out if you can not install anti malware on systems such as servers due to technical constraints.
This means that you need to configure your anti malware software to update its anti-virus signatures so that it can detected the latest malware.
Your anti-malware software should be configured to periodically scan and to scan files in real time when downloaded or executed. It should also quarantine dangerous files and be able to disinfect your systems.
Planning Ahead For 110 NIST 800-171 Security Controls
As of the writing of this guide you are only required to implement 15 security controls to meet FAR 52.204-21 requirements, however the feds have made it clear that they will eventually mandate the 110 security controls from the NIST SP 800-171 framework. Luckily the 15 previously mentioned controls have been drawn straight from NIST SP 800-171 so you will already have some of them completed.
What do I need to do?
- Review your current or potential Federal contract to ensure that the FAR 52.204-21 clause is present.
- Determine if and where non-public federal contract information is processed, stored, or transmitted on your systems.
- Determine which of the 15 controls you already have in place.
- Create a plan of action & milestones (POA&M) to implement the absent controls.
- Document your in place and planned controls in a system security plan (SSP).
- Implement the absent controls in accordance with your POA&M
- Start planning for the future and begin implementing the NIST SP 800-171 controls.
The Consequences of Noncompliance
If you have a Federal contract with FAR 52.204-21 as a clause and have not implemented the 15 controls you can risk losing your current contracts and any chance of winning future contracts if federal contract information is compromised. However, if you have the 15 controls in place and federal contract information is compromised , failure of the controls to adequately protect federal contract information does not constitute a breach of contract. So its best that you do your part and implement the 15 controls.
How we can help
Desired Outcomes can help ensure that you are compliant with FAR 52.204-21. Our staff has extensive experience documenting and implementing the 15 FAR and 110 NIST 800-171 controls for federal contractors. We will provide you with a gap assessment report telling you where you are, where you need to be and how to get there as well as a plan of action & milestones document, and a system security plan. We can also assist you in implementing the mandated security controls.