Overview of Cybersecurity Requirements

Companies under contract with the federal government will have access to information that is not releasable in any form to the public. While information in a physical form presents a risk, information in a digital format presents an even greater risk since many networks and computers which connect to the internet are not sufficiently secured and/or lack of user training and day-to-day practices may include risky behavior. Additionally, basic practices such as system access, password management and poor cyber hygiene create targets of opportunity for both casual hackers and professionals.

The federal government expects contractors to take generally accepted steps to secure their systems against everyday threats. Unfortunately, experience has shown this not to be the case. Many companies have not secured their systems and those with contracts containing FCI and/or CUI must be compliant with contractual requirements.

Specifically, contractor’s systems are not compliant with the following – FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems and DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. Currently contractors and subcontractors are responsible for ensuring that their cyber security programs comply with the requirements of the respective clauses.