Podcast Show Notes

Return to WPI Podcasts

2025-09-09 Federal Market Insights Episode 23 — Session Overview

WPI Podcast Episode 23 Summary 

Cybersecurity requirements for non-DoD vendors. The big 15; what you need to know. Actions to take.

FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems.

Government Contractors must be prepared to handle two different types of information. These are – Federal Contract Information (FCI), and Controlled Unclassified Information (CUI). The regulation for FCI is FAR 52.204-21 and the regulation for CUI is DFARS 252.204-7012. See: https://www.acquisition.gov

To comply with requirements, a company must first know what information they are working with and second, what is required to properly safeguard the information.

Companies must review FAR 52.204-21 requirements to ensure compliance with all requirements. Staff trained to meet positional responsibilities is also needed. Policies and procedures must be created, reviewed and updated.

To be effective policies and procedures should take into account various information uses, locations, and routes traversed in to developing and deploying appropriate security measures. The regulation specifically identifies the following broadly defined uses: processed, transiting the network or being stored.

As mentioned in a prior podcast companies should also be aware of both record retention requirements and specialized destruction requirements. Shredding is permitted but a common business document shredder will probably not satisfy the requirements. If third-party providers are being used, appropriate vetting should take place prior to contract award. Disposal records should also be required as a part of the service. Consider including appropriate flow-down clauses when such services support one or more contracts.

Security measures may focus on a primary format such as text documents. Planning should address broad concerns and include a variety of formats that FCI can assume. FCI is not limited to documents or emailed information. FCI can be information in any format. These can include images, recordings, data sets, models and other.

FCI most likely will originate from the government. In certain circumstances, contractors may also generate FCI. It is important to recongnize what constitutes FCI and what does not. FCI created under contract requires appropriate marking and safeguarding. FCI generated under contract holds the same value as FCI issued by the government. Securty requirements are the same.

When in receipt of materials marked as containing FCI, determine what information needs to be controlled and what information does not.

Materials that contain FCI will be marked but this does not mean that this entire document, all photographs or an entire recording will be FCI. FCI may apply to the entire document, but it may not. Determine what information needs to be secured.

Cyber training is absolutely needed. However, one source reviewed indicated that 83% of cybersecurity incidents were created by authorized staff using the appropriate equipment. Training is required and can help to raise awareness and reinforce good practice. Training may help to reduce mistakes, but training cannot eliminate them.

Cyber incidents can occur innocently in the course of performing one’s duties such as a staff member conducting research. This happened to an individual searching for a real estate related form. They found the form on a college website only to realize after the fact that the document was corrupted and contained malware. This can happen to anyone performing web-based research, including searching for federal resources.

Such incidents are not intentional. They were caused essentially by an “Oooos.” Irrespective of the cause, a cyber incident must be documented and if it qualifies reported. Procedures and policies should also address these issues. Training and well-thought-out policies and procedures may assist. Policies and procedures that require a downloaded documents to be scanned for threat prior to opening may help in alleviating specific issues.

Cyber security includes good cyber hygiene. Cyber hygiene will not address all issues but just like practicing good general hygiene and covering one’s cough and/or washing one’s hands, good cyber hygiene can reduce a company’s exposure.

Cyber hygiene is important, but it will not prevent all issues. Sometimes other measures are required. USB ports are a convenient and useful feature when used as intended. However, plugging in an employee’s USB or a foreign USB may download malicious software which leads to a reportable cyber incident. The question is whether the convenience of a USB port outweighs the threat it creates. Each company has to make this determination. They need to determine whether to leave the port open, physically block the port from being used or address the issue via system configuration.

FAR 52.204-21 extends to subcontractors. This clause is known as a flowdown clause and the substance of the clause is required to be flowed down if FCI will be passed to a supplier or subcontractor.

FAR 52.204-21 does not explicitly require policies and procedures – company instructions. The contractor is required to apply 15 safeguarding requirements and procedures to protect covered contractor information systems.  The use of policies, procedures and other supporting documents can assist with tailoring implementation requirements to focus on only what is needed.

Policies and procedures can help to establish systematic and repeatable processes that is not impacted by staff turnover or differing perspectives on what is necessary.

As an example, the clause requires contractors to implement access lists. Access lists require effort to create and maintain. There is also no limit to the number of individuals who can be permitted to have access. The question is who requires access – does everyone need access to a certain type of information or process or a machine? If not who does need access. The use of access lists can be extended to visitors and visitor visits. Use of an Access List places the decisions where they should be made rather than expecting a shop employee to determine with whom specific information can and cannot be shared.

Policies and procedures can assist with more mundane issues such as are appointments needed or will all visitors be welcome. When dealing with a business setting the issue of visitors can be somewhat murky. Visitor access in other settings such as one’s home is crystal clear with specific boundaries.

Each of the 15 security requirements requires a thoughtful approach.