FAR 52.204.21 Compliance
FAR Basic Safeguarding Requirements.
A Guideline that Follows Cybersecurity Best Practices
Contracts with the federal government comprise a major source of business for many companies. Unfortunately, many businesses miss out on these contracts because they cannot demonstrate adequate cybersecurity compliance, which is necessary not only for Tier 1 suppliers, but for many of their subcontractors down the line who may be supplying parts or handling sensitive information.
FAR 52.204.21 lists fifteen requirements that all contractors must meet in order to work with the federal government. These requirements are designed to protect Federal Contract Information (FCI), which includes many contracts, financial statements, and design specs that the contractor may handle over the course of their project.
The 15 FAR Basic Requirements are a part of the NIST SP 800-171r2 Framework, and provide a good first step toward broader DFARS/NIST compliance.
Even if your company does not currently contract with the federal government, being able to demonstrate FAR 52.204.21 compliance puts you in a position to accept contracts in the future, even on short notice. More importantly, the guidelines follow best practices for cybersecurity, and are therefore useful to any company desiring to strengthen their cybersecurity policies.
Cybersecurity
Guidelines at a Glance
(i)
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
(ii)
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
(iii)
Verify and control/limit connections to and use of external information systems.
(iv)
Control information posted or processed on publicly accessible information systems.
(v)
Identify information system users, processes acting on behalf of users, or devices.
(vi)
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
(vii)
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
(viii)
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
(ix)
Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
(x)
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
(xi)
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
(xii)
Identify, report, and correct information and information system flaws in a timely manner.
(xiii)
Provide protection from malicious code at appropriate locations within organizational information systems.
(xiv)
Update malicious code protection mechanisms when new releases are available.
(xv)
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Not sure what your business needs to take its IT to the next level?
We can help! Contact us for a free consultation.