FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems. Basic (Nov 2021) (Current)

As prescribed in 4.1903, The contracting officer shall insert the clause at 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in solicitations and contracts when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system.

Basic Safeguarding of Covered Contractor Information Systems (Nov 2021)

      (a) Definitions. As used in this clause—

           Covered contractor information system means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information.

           Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

           Information means any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009).

           Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. 3502).

           Safeguarding means measures or controls that are prescribed to protect information systems.

      (b) Safeguarding requirements and procedures.

           (1) The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:

                (i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

                (ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

                (iii) Verify and control/limit connections to and use of external information systems.

                (iv) Control information posted or processed on publicly accessible information systems.

                (v) Identify information system users, processes acting on behalf of users, or devices.

                (vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

                (vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

                (viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

                (ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

                (x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

                (xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

                (xii) Identify, report, and correct information and information system flaws in a timely manner.

                (xiii) Provide protection from malicious code at appropriate locations within organizational information systems.

                (xiv) Update malicious code protection mechanisms when new releases are available.

                (xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

           (2) Other requirements. This clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556.

      (c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial products or commercial services, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system.

(End of clause)
 

 

 (c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial products or commercial services, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system.

Mandatory (Exception);
  52.244-6 (Applies when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system.)

52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities.

52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities.

252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements.

252.204-7020 NIST SP 800-171 DoD Assessment Requirements.

252.204-7018 Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services.

252.204-7017 Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services-Representation.

252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.

252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements.

252.204-7020 NIST SP 800-171 DoD Assessment Requirements.

252.239-7010 Cloud Computing Services.

252.239-7017 Notice of Supply Chain Risk.

252.239-7018 Supply Chain Risk.

252.239-7010 Cloud Computing Services.

252.204-7009 Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information.

252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.

252.204-7018 Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services

252.204-7020 NIST SP 800-171 DoD Assessment Requirements.

252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement.

252.246-7007 Contractor Counterfeit Electronic Part Detection and Avoidance System.

3052.204-70 Security requirements for unclassified information technology resources.

3052.204-71 Contractor employee access.

3052.204-71 Contractor employee access.

552.204-9 Personal Identity Verification Requirements.

552.204-9 Personal Identity Verification Requirements.

552.238-110 Commercial Satellite Communication (COMSATCOM) Services.

552.204-9 Personal Identity Verification Requirements.

752.204-72 Access to USAID facilities and USAID's information systems.

952.204-77 Computer security.

952.223-76 Conditional payment of fee or profit-safeguarding restricted data and other classified information and protection of worker safety and health.

970.5203-1 Management controls.

970.5204-1 Counterintelligence.

970.5204-3 Access to and ownership of records.

52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab Covered Entities.

52.204-28 Federal Acquisition Supply Chain Security Act Orders-Federal Supply Schedules, Governmentwide Acquisition Contracts, and Multi-Agency Contracts.

52.204-29 Federal Acquisition Supply Chain Security Act Orders-Representation and Disclosures.

52.204-30 Federal Acquisition Supply Chain Security Act Orders-Prohibition.

52.204-27 Prohibition on a ByteDance Covered Application.

252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements.

252.204-7020 NIST SP 800-171 DoD Assessment Requirements.

252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement.

252.204-7016 Covered Defense Telecommunications Equipment or Services-Representation.

252.204-7017 Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services—Representation.

252.204-7018 Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services.

252.204-7000 Disclosure of Information.

252.204-7008 Compliance with Safeguarding Covered Defense Information Controls.

252.204-7009 Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information.

252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.

252.239-7000 Protection Against Compromising Emanations.

252.239-7009 Representation of Use of Cloud Computing.

252.239-7010 Cloud Computing Services.

252.239-7017 Notice of Supply Chain Risk.

252.239-7018 Supply Chain Risk.

252.245-7000 Government-Furnished Mapping, Charting, and Geodesy Property.

252.246-7007 Contractor Counterfeit Electronic Part Detection and Avoidance System.

1852.246-74 Contractor Counterfeit Electronic Part Detection and Avoidance

3052.204-71 Contractor employee access.

3052.204-72 Safeguarding of Controlled Unclassified Information.

3052.204-73 Notification and Credit Monitoring Requirements for Personally Identifiable Information Incidents.

552.204-9 Personal Identity Verification Requirements.

552.239-70 Information Technology Security Plan and Security Authorization.

552.239-71 Security Requirements for Unclassified Information Technology Resources.

552.238-110 Commercial Satellite Communication (COMSATCOM) Services.

652.239-70 Information Technology Security Plan and Accreditation.

652.239-71 Security Requirements for Unclassified Information Technology Resources.

752.239-70 Information Technology Authorization.

752.239-72 USAID-Financed Project Websites.

752.227-71 Planning, Collection, and Submission of Digital Information to USAID.

752.204-72 Access to USAID facilities and USAID's information systems.

952.204-78 DOE Directives.

952.204-77 Computer security.

970.5203-1 Management controls.

970.5204-3 Access to and ownership of records.

Working with a set of FAR clauses from an RFP or contract?

Try pasting them into our tool to instantly generate a risk profile, including the basic flow down recommendation.

Info

Works best with Chrome and Edge browsers!