FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” is a contract clause to the Federal Acquisition Regulation (FAR) that applies to all federal contracts, not just those with the DoD. It lays out a set of 15 cybersecurity controls for safeguarding contractor information systems that store, process or transmit federal contract information (FCI). FCI is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.” Every organization that does business with the federal government (including subcontractors who have access to FCI) is required to comply with these controls. These 15 controls form the basis for CMMC Level 1 requirements.
Limit information system access to authorized users
Limit information system to the types of transactions and functions that authorized users are permitted to execute
Verify and control/limit connections to and use of external information systems
Control information posted or processed on publicly accessible information systems
Identify information system users, processes acting on behalf of users, or devices
Verify the identities of those users, processes, or devices as a prerequisite to allowing access to organization information systems
Sanitize or destroy information system media containing FCI before disposal or release for reuse
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals
Escort visitors and monitor visitor activity; maintain audit logs of physical access; control and manage physical access devices
Monitor, control, and protect organizational communications
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
Identify, report, and correct information and information system flaws in a timely manner
Provide protection from malicious code at appropriate locations within organizational information systems
Update malicious code protection mechanisms when new releases become available
Perform periodic scans of the information system and real-time scans of files from external sources
Achieving FAR 52.204-21 Compliance?
Achieving FAR 52.204-21 compliance can be quite a challenge for many contractors. It requires a deep understanding of your networks and systems, security processes, and procedures. The right cybersecurity compliance partner can help you implement the most comprehensive solution for your business by partnering with you to develop policies, implement technology, document your practices, assess business risk, and put into place the cyber program management needed to ensure you meet compliance and properly protect your business.
Tesseract Managed Cybersecurity Programs combine a variety of services into a single, cost-effective, comprehensive program to help you achieve and maintain FAR 52.204-21 compliance and develop a strong cyber defense for your organization. Tesseract delivers the resources of a Managed Security Service Provider (MSSP), Managed Service Provider (MSP), Managed Defense & Response (MDR), Compliance Consulting Services (vCISO), and Compliance Management Software all in one, proven, affordable solution.
If you want to get a free consultation without any obligations, fill in the form below and we'll get in touch with you.