48 CFR 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems.

52.204-21 Basic Safeguarding of Covered Contractor Information Systems.

As prescribed in 4.1903, insert the following clause:

Basic Safeguarding of Covered Contractor Information Systems (JUN 2016)

(a)Definitions. As used in this clause -

Covered contractor information system means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information.

Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.

Information means any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009).

Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information ( 44 U.S.C. 3502).

Safeguarding means measures or controls that are prescribed to protect information systems.

(b)Safeguarding requirements and procedures.

(1) The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:

(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

(iii) Verify and control/limit connections to and use of external information systems.

(iv) Control information posted or processed on publicly accessible information systems.

(v) Identify information system users, processes acting on behalf of users, or devices.

(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

(x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

(xii) Identify, report, and correct information and information system flaws in a timely manner.

(xiii) Provide protection from malicious code at appropriate locations within organizational information systems.

(xiv) Update malicious code protection mechanisms when new releases are available.

(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

(2)Other requirements. This clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556.

(c)Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system.

(End of clause)
[ 81 FR 30446, May 16, 2016]

This is a list of United States Code sections, Statutes at Large, Public Laws, and Presidential Documents, which provide rulemaking authority for this CFR Part.

This list is taken from the Parallel Table of Authorities and Rules provided by GPO [Government Printing Office].

It is not guaranteed to be accurate or up-to-date, though we do refresh the database weekly. More limitations on accuracy are described at the GPO site.


United States Code
U.S. Code: Title 10 - ARMED FORCES

§ 2301 - Repealed. Pub. L. 103–355, title I, § 1501(a), Oct. 13, 1994, 108 Stat. 3296]

§ 2302 - Definitions

§ 2302a - Simplified acquisition threshold

§ 2302b - Implementation of simplified acquisition procedures

§ 2302c - Repealed. Pub. L. 114–328, div. A, title VIII, § 833(b)(5)(A)(i), Dec. 23, 2016, 130 Stat. 2285]

§ 2302d - Major system: definitional threshold amounts

§ 2303 - Applicability of chapter

§ 2303a - Repealed. Pub. L. 98–577, title III, § 302(c)(1), Oct. 30, 1984, 98 Stat. 3077]

§ 2304 - Contracts: competition requirements

§ 2304a - Task and delivery order contracts: general authority

§ 2304b - Task order contracts: advisory and assistance services

§ 2304c - Task and delivery order contracts: orders

§ 2304d - Task and delivery order contracts: definitions

§ 2304e - Contracts: prohibition on competition between Department of Defense and small businesses and certain other entities

§ 2305 - Contracts: planning, solicitation, evaluation, and award procedures

§ 2305a - Design-build selection procedures

§ 2306 - Kinds of contracts

§ 2306a - Cost or pricing data: truth in negotiations

§ 2306b - Multiyear contracts: acquisition of property

§ 2306c - Multiyear contracts: acquisition of services

§ 2307 - Contract financing

§ 2308 - Buy-to-budget acquisition: end items

§ 2309 - Allocation of appropriations

§ 2310 - Determinations and decisions

§ 2311 - Assignment and delegation of procurement functions and responsibilities

§ 2312 - Remission of liquidated damages

§ 2313 - Examination of records of contractor

§ 2313a - Defense Contract Audit Agency: annual report

§ 2314 - Laws inapplicable to agencies named in section 2303 of this title

§ 2315 - Law inapplicable to the procurement of automatic data processing equipment and services for certain defense purposes

§ 2316 - Disclosure of identity of contractor

§ 2317 - Repealed. Pub. L. 103–160, div. A, title VIII, § 821(a)(2), Nov. 30, 1993, 107 Stat. 1704]

§ 2318 - Advocates for competition

§ 2319 - Encouragement of new competitors

§ 2320 - Rights in technical data

§ 2321 - Validation of proprietary data restrictions

§ 2322 - Management of intellectual property matters within the Department of Defense

§ 2323 - Contract goal for small disadvantaged businesses and certain institutions of higher education

§ 2323a - Credit for Indian contracting in meeting certain subcontracting goals for small disadvantaged businesses and certain institutions of higher education

§ 2324 - Allowable costs under defense contracts

§ 2325 - Restructuring costs

§ 2326 - Undefinitized contractual actions: restrictions

§ 2327 - Contracts: consideration of national security objectives

§ 2328 - Release of technical data under Freedom of Information Act: recovery of costs

§ 2329 - Procurement of services: data analysis and requirements validation

§ 2330 - Procurement of contract services: management structure

§ 2330a - Procurement of services: tracking of purchases

§ 2331 - Procurement of services: contracts for professional and technical services

§ 2332 - Share-in-savings contracts

§ 2333 - Joint policies on requirements definition, contingency program management, and contingency contracting

§ 2334 - Independent cost estimation and cost analysis

§ 2335 - Prohibition on collection of political information

§ 2336 - Renumbered § 2679]

§ 2337 - Life-cycle management and product support

U.S. Code: Title 40 - PUBLIC BUILDINGS, PROPERTY, AND WORKS
U.S. Code: Title 51 - NATIONAL AND COMMERCIAL SPACE PROGRAMS

Title 48 published on 03-Jul-2018 05:32

The following are ALL rules, proposed rules, and notices (chronologically) published in the Federal Register relating to 48 CFR Part 52 after this date.

  • 2018-07-23; vol. 83 # 141 - Monday, July 23, 2018
    1. 83 FR 34820 - Federal Acquisition Regulations: Use of Acquisition 360 To Encourage Vendor Feedback
      GPO FDSys XML | Text
      DEPARTMENT OF DEFENSE, GENERAL SERVICES ADMINISTRATION, NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
      Advance notice of proposed rulemaking.
      Interested parties should submit written comments to the Regulatory Secretariat Division at one of the addresses shown below on or before September 21, 2018 to be considered in the formulation of a proposed rule.
      48 CFR Parts 5, 42, and 52

Pages