FAR 52 204 21

 

FAR 52.204-21 is a federal regulation that requires government contractors who handle federal contract information (FCI) to implement basic safeguarding measures on their information systems.

The regulation outlines 15 basic safeguarding requirements that contractors must implement to protect FCI from unauthorized access or disclosure. These requirements include things like limiting access to authorized users, ensuring the confidentiality of information, and reporting security incidents to the government.

The 15 basic safeguarding requirements under FAR 52.204-21 are:

1. Limit system access to authorized users, processes acting on behalf of authorized users, or devices.
2. Limit system access to the types of transactions and functions that authorized users are permitted to execute.
3. Verify and control the connections to external systems.
4. Employ cryptographic mechanisms to protect the confidentiality and integrity of transmitted information.
5. Maintain and implement software and firmware updates for all components of the system that are necessary to address known security vulnerabilities.
6. Maintain and implement security-relevant software and firmware updates within a time period consistent with risk, but not to exceed 30 days from the release of the update.
7. Generate and retain system audit logs and records to the extent needed to enable the detection, investigation, and response to security incidents.
8. Monitor system security alerts and advisories and take appropriate actions in response.
9. Perform periodic scans of the information system and real-time scans of files from external sources as files are being downloaded, opened, or executed.
10. Implement advanced authentication measures beyond username and password.
11. Ensure that the system automatically locks the account or session after a defined period of inactivity.
12. Employ mechanisms to limit the impact of potential malware propagation.
13. Maintain backup and restoration capabilities.
14. Implement processes to securely transfer data from one system to another.
15. Implement advanced protections for network protocols to ensure integrity and confidentiality of transmitted data.

In addition to the basic safeguarding requirements, the regulation also requires contractors to flow down the same requirements to any subcontractors who handle FCI.

Compliance with FAR 52.204-21 is mandatory for government contractors who handle FCI. Failure to comply with the regulation can result in penalties, including contract termination and legal action.