Federal information “not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments” is termed Federal Contract Information(FCI) and requires compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems.

This clause specifies 15 requirements for companies to implement to safeguard FCI. Companies must take appropriate actions when clause 52.204-21 is either included by reference or full text in a company’s federal award or purchase order from their prime.

Prime Contractors that must comply with these requirements, must also flowdown the substance of this clause to their subcontractors and suppliers when FCI is shared with them. The requirement to flowdown the clause and referenced requirements continues at any level of the supply chain including subcontracts for commercial products and commercial services when “the subcontractor may have Federal contract information residing in or transiting through its information system.” Consequently, companies should review a prime’s general terms and conditions, an award from a prime as well as their general terms and conditions used when awarding contracts to subcontractors and/or suppliers.

Contractors should also be aware while compliance with clause 52.204-21 is required, these requirements apply just to the safeguarding of FCI and may not satisfy the needs of every category of information and/or program. The very nature of government contracting brings businesses into contact with many different categories of information. Therefore, this clause also specifies – “This clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556.”