Main Nav

AAU/COGR Comments on Proposed Rule for "Basic Safeguarding of Contractor Information Systems"

The Association of American Universities (AAU) and Council on Government Relations (COGR) urged the Federal Acquisition Regulation (FAR) Councils to consider exempting contracts for fundamental research from the requirements set forth in the Proposed Rule to amend FAR and add a new subpart and contract clause for the basic safeguarding of contractor information systems.  According to the comments submitted on October 18th, ". . . most of our member institutions have at least first level information technology security measures in place within the systems that they normally use for storing and processing data that require protection which appear to meet most of the Basic Safeguarding requirements."  AAU and COGR cite increased costs and compliance burdens among their reasons for an exemption as applied to fundamental research.

The comments also address what AAU and COGR consider to be a broad potential scope of the information subject to these requirements.  The scope of the Proposed Rule is for “…information systems that contain information provided by or generated for the Government (other than public information) that will be resident on or transiting through contractor information systems” (emphasis added). The Proposed Rule cites the Federal Information Security Management Act (FISMA) of 2002 as the authority for imposing information security requirements on federal contractors. According to the comments, "The experience of our member institutions over the past 10 years is that agencies have tended to broadly expand FISMA requirements to information developed under federal contracts regardless of whether the information is a deliverable under the contract."  That led the AAU and COGR to recommend that the scope of the clause be limited by changing the phrase “generated for” to “delivered to” which makes clear that the information must be a deliverable under the contract and/or a contract requirement.

This proposed FAR rule would add a contract clause to address requirements for the basic safeguarding of contractor information systems that contain or process information provided by or generated for the Government (other than public information).  DoD, GSA, and NASA have already concluded that these requirements are an extension of the requirements under the Federal Information Security Management Act (FISMA) of 2002.  The contractor is to provide "protective measures" to information that will be resident on or transiting through contractor information systems in the following areas:

  • Public computers or Web sites
  • Transmitting electronic information
  • Transmitting voice and fax information
  • Physical and electronic barriers
  • Sanitization
  • Intrusion protection
  • Transfer Limitations

EDUCAUSE Policy will continue to monitor comments and follow the potential development of a Final Rule.

Tags from the EDUCAUSE Library

Tags from the Community



Do the proposed rules add new requirements or merely make explicit in the FAR what has been required of federal contractors by FISMA since 2002 and agency heads (see FAR 7.103c)?
Here's what it says about contractors and FISMA in OMB's annual memo to agency heads (latest version is here). 
"Must Government contractors abide by FISMA requirements? Yes. Each agency must ensure their contractors are abiding by FISMA requirements. Section 3544(a)(1)(A)(ii) describes Federal agency security responsibilities as including "information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency." Section 3544(b) requires each agency to provide information security for the information and "information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source."...Because FISMA applies to both information and information systems used by the agency, contractors, and other organizations and sources, it has somewhat broader applicability than prior security law. That is, agency information security programs apply to all organizations (sources) which possess or use Federal information -or which operate, use, or have access to Federal information systems (whether automated or manual) -on behalf of a Federal agency. Other organizations may include contractors, grantees, State and Local Governments, industry partners, providers of software subscription services, etc. FISMA, therefore, underscores longstanding OMB policy concerning sharing Government information and interconnecting systems."
For some contractors this may be news but only because there has been more effort to make contractors comply over the last couple of years. In the OMB memo in 2010, agency Inspectors General were instructed to evaluate agency performance on ten items, one of which was "contractor oversight". Many agency IG reports since then highlight contractor oversight as an issue. No surprise then that FISMA requirements are becoming much more evident in contract RFPs and contract language.