November 30, 2021

Volume XI, Number 334

Advertisement
Advertisement

November 29, 2021

Subscribe to Latest Legal News and Analysis

Broad new data security rule proposed for federal contractors

new rule proposed for federal government contractors will require that all federal contracts over $100,000 (including contracts for commercial items and those to small businesses) will have to include a clause requiring the contractor to implement  basic data security protections for any non-public data provided to the contractor by the federal government or generated by the contractor for the government.  If the rule is adopted, it will require that any such non-public information residing on or passing through a contractor’s information system be protected from unauthorized access and disclosure.  The Department of Defense, the General Services Administration and the National Aeronautics and Space Administration all recognize that an outgrowth of the requirements for federal agencies to provide security for information and information systems that support federal agency operations, as set forth under the Federal Information Security Act of 2002, includes the information and information systems managed by contractors.

Specific requirements include prohibitions on:

  • Processing government non-public information on public computers (e.g., kiosks or hotel business centers), on computers that lack access control or through web sites that lack user access controls such as ID/passwords or user certificates;
  • Transmitting email, text messages or other communications of government non-public information without using encryption and other best practices to provide security and privacy;
  • Using voice or fax transmittal of government non-public information unless the sender has a “reasonable assurance” that access to the communication is limited to authorized recipients;
  • Failing to protect government non-public information with both physical and electronic barriers to access;
  • Failing to sanitize physical media (disk drives, CDs, flash memory, etc.) of all government non-public information before releasing or disposing of the media;
  • Failing to implement and maintain current releases of anti-virus/antispyware software and failing to promptly apply security-relevant operating system and application software upgrades; and
  • Transferring government non-public information to subcontractors or other third-parties that are not contractually bound to the contractor to implement these same protections.

Contractors whose work requires use of classified, sensitive, personal or health related data have been subject to strict data security requirements for many years.  This is the first time that a data security rule applicable to such a broad swath of government contractors has been proposed.  Its requirements are relatively modest, reflecting a standard of care already common in industry. It does emphasize that federal agencies are under considerable Congressional pressure to reduce the government’s exposure to data security breaches through one of its most vulnerable access points – the contractors agencies employ to perform numerous functions requiring access to non-public data.

If this rule is made final and provisions are passed through to government contracts, contractors of all sizes will need to evaluate their information systems and written information security programs in order to maintain compliance.

Comments on the proposed rule are being accepted through October 23, 2012 at www.regulations.gov  (Cite FAR Case 2011-020).

©1994-2021 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume II, Number 256
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

The frictionless flow of information is a defining feature of today’s information economy. Your organization’s ability to transfer customer data, employee files, financial records, and other information around the country or the globe quickly and cheaply has opened a world of new opportunities. Privacy laws vary by jurisdiction and are interpreted unpredictably, and even if your business is extremely conscientious, it can make a false step as it captures, uses, transfers, and discloses personal information. The consequences can be serious and even devastating — heavy...

617-348-1732
Advertisement
Advertisement
Advertisement