FAR Clause 52.204-12 Basic Safeguarding of Covered Contractor Information Systems
In the case of Cybersecurity the FAR contains the following prescription for use of the clause at 52.204-12: "The contracting officer shall insert the clause at 52.204-12, Basic Safeguarding of Covered Contractor Information Systems, in solicitations and contracts when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system".
Interpreting the Prescription
Breaking down the prescription we see several key points:
1. This requirement applies to BOTH contractors and Subcontractors at any tier. This means the clause applies to the Prime contractor BUT also applies to the prime contractor's subcontractors (Tier 1) and to their subcontractors (Tier 2) and so forth.
2. The prescription calls for a judgement made by the CO as to whether (e.g. may …) the contractor or subcontractor it is likely to have something known as "Federal Contract Information" residing on or transiting (passing through) something called "its (e.g., the contractor or subcontractor's) information system.
The requirement applies to all but a handful of government contracts for Commercial Off-the-Shelf items … so it probably applies to you. Read your contract(s) to be sure.
1. This requirement applies to BOTH contractors and Subcontractors at any tier. This means the clause applies to the Prime contractor BUT also applies to the prime contractor's subcontractors (Tier 1) and to their subcontractors (Tier 2) and so forth.
2. The prescription calls for a judgement made by the CO as to whether (e.g. may …) the contractor or subcontractor it is likely to have something known as "Federal Contract Information" residing on or transiting (passing through) something called "its (e.g., the contractor or subcontractor's) information system.
The requirement applies to all but a handful of government contracts for Commercial Off-the-Shelf items … so it probably applies to you. Read your contract(s) to be sure.
Covered contractor information system means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information.
Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.
Information means any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009).
Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. 3502).