Compliance Services

DFARS. NIST. DIACAP TO RMF. OH MY!

Risk Management Framework. DFARS 252.204-7012 Unclassified Controlled Technical Information. DIACAP-to-RMF transitions. NIST control Compliance. It's all now a reality if you're doing business with the federal government. We understand it can be a bit overwhelming when you're faced with implementing or abiding by new regulations, guidelines, compliance standards and other cyber security controls.

But, it doesn't have to be. VLC experienced professionals can provide exactly the help you seek. Whether you need one of our pre-defined, standard quick reviews that provide easy-to-understand actionable plans or a customized compliance review or audit, we'll provide the most cost-efficient solution you need because we do this every single day.

DFARS & NIST DCMA AUDITS

ARE YOU 100% COMPLIANT ON DFARS 252.204-7012 AND NIST SP 800-171?

The deadline for DoD contractors has expired. DoD contractors must now be compliant with DFARS 252.204-7012 and all related DFARS Regulations, including NIST SP 800-171. There is no grace period. Contractors are being audited by DCMA, specifically focusing on their NIST SP 800-171 compliance, their Systems Security Plan (SSP), Plan of Actions and Milestones (POA&M), and Policies.

WHAT DOES "DFARS COMPLIANT" MEAN? HAS THAT CHANGED RECENTLY?

The definition of "DFARS Compliance" was clarified in this Sept 21, 2017 memo from the Office of Under Secretary of Defense (CLICK HERE).

In summary, the DoD softened the compliance requirements to enable more contractors to meet the end-of-2017 deadline for compliance. At that time, contractors weren't required to remediate every NIST SP 800-171 gap.

While that regulation hasn't officially changed, the DCMA Inspector Generals have ruled that Contractors must be diligent and sincere in addressing the requirement. Therefore, they are specifically reviewing the accuracy and status of your SSP, POAM, Policies AND IMPLEMENTATION of the cybersecurity controls defined in NIST SP 800-171.

All of our clients that have undergone these audits have passed on the first try. If you are facing an audit, we can help! We can answer any questions you have now and provide advice, services, and support to help you pass your audit.

And, if you haven't yet addressed your regulatory compliance requirements, we can help you obtain compliance within a few weeks.

Click here to schedule a free call today! We are glad to answer your questions. (No Pushy Sales People, we promise.)

ASSESSMENT AND COMPLIANCE SERVICES FOR DFARS 7012

ARE YOU PREPARED TO IMPLEMENT THE DFARS REQUIREMENT TO PROTECT COVERED DEFENSE INFORMATION (CDI)?

The Department of Defense, along with the watchful eyes of many other Federal organizations that are expected to follow suit, has been addressing the need for major improvements in cyber security throughout their entire eco-system, which of course includes contractors that supply services and products to the DoD. One major regulation in this effort is a set of clauses: DFARS 252.204-7008, DFARS 252.204-7009 and DFARS 252.204-7012 that reference NIST SP 800-171 control standards.

This almost infamous DFARS regulation has gone through quite a few changes since its introduction on November 18, 2013. Originally, there were unresolved concerns that required clarification. Since then, there have been several updates to the clause that provide definitive requirements and time frames that make one thing clear: DoD Government Contractors must be compliant on this regulation to keep and win DoD contracts..

Bottom line: Government Contractors should assessing their compliance under DFARS 252.204-7012 and fix any security holes as defined by NIST SP 800-171. Many existing DoD contracts and all new contracts will now contain this clause.

DOD Contractors and Subcontractors must comply with new Defense Federal Acquisition Regulation Supplement (DFARS) Clause Parts 204, 212 and 252 Safeguarding Covered Defense Information (CDI). This information is also a catagory of Controlled Unclassified Information (CUI).

These clauses require implementation of adequate security measures to safeguard unclassified DoD technical information from unauthorized access/disclosure and defines reporting requirements for cyber intrusion events that affect DoD information resident on or transiting through the contractor’s unclassified information systems.

Requires implementation of National Institute of Standard and Technology (NIST) SP 800-171 controls – specifies 110 individual requirements including the reporting of incidents within 72 hours of occurrence.

HOW DOES IT AFFECT YOU? ARE YOU READY?

Applies to all Prime Contractors, Subcontractors and Universities. Your contract may include audit provisions to ensure compliance.

VLC SECURITY PROFESSIONALS CAN HELP: DFARS CDI ASSESSMENT SERVICE

Our certified security professionals have multiple years of experience helping organizations implement NIST and Risk Management Framework (RMF) requirements. We can quickly navigate through the NIST controls and develop a cost-effective implementation plan that builds on your current security posture-saving you time, freeing your critical resources up to do their job and saving you money.

Our DFARS CDI Assessment service will ensure you meet all of the DFARS 252.204-7012 compliance requirements in approximately four to six weeks:

  • Controls Review Workshop: CDI location and use will be reviewed against NIST SP 800-171 controls
  • Gap Analysis
  • Plan of Action & Milestones (POA&M)
  • System Security Plan (SSP)
  • Conducting Risk Assessments to determine NIST compliance standards
  • FIPS 199 and NIST SP800-60 Data classification
  • Provide recommendations for updating your security policies to incorporate the new DFARS requirements
  • Develop incident response plans, processes, work flow documents and other material that should be completed due to an incidence event
  • Provide and review final report and remediation strategies

CUI (& CDI) REGISTRY & MARKINGS

WHAT IS CONTROLLED UNCLASSIFIED INFORMATION (CUI)?

In 2010, Executive Order 13556 created the Controlled Unclassified Information program in response to nation states' stealing critical information from federal contractors, such as the F35 Fighter Plane plans.

IS THERE A DEFINITIVE SOURCE THAT DEFINES COVERED UNCLASSIFIED INFORMATION (CUI)? IS THIS THE CUI REGISTRY?

Yes, the National Archives website provides this complete CUI Registry that clarifies and further describes the complete scope of Covered Defense Information.

HOW IS COVERED DEFENSE INFORMATION (CDI) RELATED TO CUI?

Covered Defense Information is CUI information, as described in the Controlled Unclassified Information (CUI) Registry, that is related to a DoD contract. CDI requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is:

Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or 2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

WHERE CAN I LEARN MORE ABOUT CUI MARKINGS?

A CUI Marking guide can be downloaded by clicking on this link.

WHAT IS "OPERATIONALLY CRITICAL SUPPORT"?

Operationally Critical Support is defined as "Supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.” The contract will include notification of when the contractor will provide operationally critical support. The DoD identifies three types of operationally critical support. Examples include but are not limited to the following:

  • Operationally critical support for mobilization, which is addressed under (ii) and (iii).
  • Operationally critical support for distribution includes but is not limited to: Airlift, sealift, aeromedical, and intermodal transportation services and their associated material handling and ground handling labor or stevedore services. U.S. railroad, truck, barge, ferry, and bus services provided by passenger and freight carriers and their associated material handling and ground handling labor services. Third party logistics (3PL) services provided by non‐equipment owned brokers and freight‐forwarders. Transportation Protection Services for arms, ammunition, and explosives (AA&E) and courier materiel. Transportation and packaging of hazardous material. Information technology systems and network providers essential to the command, control operation, and security of contingency transportation mission functions delineated in "a" through "e".
  • Operationally critical support for sustainment includes but is not limited to: Local acquisition of Liquid Logistics (water, fuel‐all types); Cl l, Fresh Fruits and Vegetables; Local meat/bread products, and bottled gases (e.g., helium, oxygen, acetylene). Supply chain for rare earth metals. Procurement and Product Support for critical weapons systems identified by the requiring activity, such as the F‐22 and F‐35. The prime contractors and subcontractors for critical weapons systems in development and sustainment that are fielded to the AOR. Contractor Logistics (maintenance and supply) Support. Examples include Unmanned Aerial Systems maintenance, (aviation) training command maintenance support, or performance based logistics/performance based arrangements. Depot‐level maintenance for critical items, particularly in Public‐Private Partnerships. Information technology systems and network providers essential to the command, control operation, and security of contingency supply and maintenance mission functions delineated in "a" through "f".

WHAT IS CONTROLLED UNCLASSIFIED INFORMATION (CUI)?

Controlled technical information is defined as technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.

NIST SP 800-171

WHAT IS NIST SP 800-171?

NIST Special Publication 800-171 is a set of security requirements that may be added or referenced in federal contracts with the goal of improving the protection of Controlled Unclassified Information (CUI). It defines uniform policies and practices across the federal government and throughout all Prime and Sub Contractor companies conducting business with the US Federal Government. Generally, the NIST SP 800-171 requirements are referenced and added to DoD contracts using the DFARS 252.204-7012 regulation.

The requirements recommended for use in this publication are derived from FIPS Publication 200 and the moderate security control baseline in NIST Special Publication 800-53 and are based on the CUI regulation (32 CFR Part 2002, Controlled Unclassified Information). The requirements and security controls have been determined over time to provide the necessary protection for federal information and systems that are covered under The Federal Information Security Modernization Act (FISMA) of 2014 requires federal agencies to identify and provide information security protections commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of an agency; or information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. This publication focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations, and recommends specific security requirements to achieve that objective. It does not change the information security requirements set forth in FISMA, nor does it alter the responsibility of federal agencies to comply with the full provisions of the statute, the policies established by OMB, and the supporting security standards and guidelines developed by NIST.

The final release of NIST Special Publication 800-171, Revision 1, can be obtained by clicking here.

WHAT IS NIST SP 800-53?

NIST Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations," provides a catalog of security controls for all U.S. federal information systems except those related to national security.

I'M CONFUSED, DO I NEED TO BE COMPLIANT WITH BOTH NIST SP 800-171 AND NIST SP 800-53?

Not really. INITIALLY, the DFARS 252.204-7012 regulation related to these two Special Publications specified a subset of various SP 800-53 controls that DoD Government Contractors were required to comply against. Contractors were never required to meet all of the 800-53 controls. However, since 800-53 was intended for federal systems, NIST created the new Special Publication 800-171 specific to that DFARS requirement for Defense Contractors to follow.

In layman's terms, you can think of SP 800-171 as "800-53 Lite".

IS NIST SP 800-171 ONLY RELATIVE TO DOD CONTRACTORS?

Currently, only DoD contractors are required to assess their compliance and complete any compliance gaps by December 31, 2017.

HOWEVER, it is the stated intent by the US Federal government that ALL FARS Contracts will include the requirement to be compliant with NIST SP 800-171 over the next few years. Some regulations have already been put into place, with more coming.

As of DECEMBER 2016, NIST announced the release of Special Publication 800-171, Revision 1, Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations. This Special Publication has been approved as final.

WE ARE A FEDERAL CONTRACTOR, BUT WE DON'T HAVE ANY DEPARTMENT OF DEFENSE (DOD) CONTRACTS. WHAT DOES NIST SP800-171 MEAN TO ME?

This means your company will almost certainly have to change procedures and policies, likely incurring capital expenditures to replace or upgrade computers, network equipment, applications, email systems and more. We cannot emphasis strongly enough, YOU NEED TO UNDERSTAND THIS IMPACT SOONER, RATHER THAN LATER.

As VLC has helped DoD Contractors complete their NIST SP800-171 compliance assessments, we have learned that almost every company needed to make capital investments in improving their computer and networking security posture, including email, virus protection, two-factor authentication and more. Companies that learned of these requirements earlier were able to save significant costs by considering these new requirements within their normal asset replacement cycles. Some companies avoided costly mistakes that would have occurred due to uneducated upgrades or equipment replacements with non-compliant solutions. Instead their additional costs were minimized. Firms that must rush to meet compliance under deadline may find themselves replacing expensive, newly purchased ERP, CRM, and other applications due to non-compliance.

WHAT IS THE BEST WAY TO REDUCE THE COST OF BECOMING COMPLIANT ON NIST SP 800-171?

The very best way to reduce the impact to your organization and your costs is to complete your assessment as early as possible. Firms that conduct this assessment in the first half of 2017 will likely have almost two years to plan equipment upgrades and replacements, which is generally 2/3 of most companies' replacement equipment buy cycles.

WHAT OTHER INFORMATION IS AVAILABLE ABOUT NIST SP 800-171?

Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the Controlled Unclassified Information (CUI) Executive Agent designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA is issuing a final federal regulation in 2016 to establish the required controls and markings for CUI government wide. This federal regulation, once enacted, will bind agencies throughout the executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program.

With regard to federal information systems, requirements in the federal regulation for protecting CUI at the moderate confidentiality impact level will be based on applicable policies established by OMB and applicable government wide standards and guidelines issued by NIST. The regulation will not create these policies, standards, and guidelines which are already established by OMB and NIST. The regulation will, however, require adherence to the policies and use of the standards and guidelines in a consistent manner throughout the executive branch, thereby reducing current complexity for federal agencies and their non-federal partners, including contractors.

In addition to defining safeguarding requirements for CUI within the federal government, NARA has taken steps to alleviate the potential impact of such requirements on non-federal organizations by jointly developing with NIST, Special Publication 800-171 — and defining security requirements for protecting CUI in non-federal systems and organizations. This approach will help non-federal entities, including contractors, to comply with the security requirements using the systems and practices they already have in place, rather than trying to use government-specific approaches. It will also provide a standardized and uniform set of requirements for all CUI security needs, tailored to non-federal systems, allowing non-federal organizations to be in compliance with statutory and regulatory requirements, and to consistently implement safeguards for the protection of CUI.

Finally, NARA, in its capacity as the CUI Executive Agent, also plans to sponsor in 2017, a single Federal Acquisition Regulation (FAR) clause that will apply the requirements contained in the federal CUI regulation and Special Publication 800-171 to contractors. This will further promote standardization to benefit a substantial number of nonfederal organizations that are attempting to meet the current range and type of contract clauses, where differing requirements and conflicting guidance from federal agencies for the same information gives rise to confusion and inefficiencies.

The CUI FAR clause will also address verification and compliance requirements for the security requirements in NIST Special Publication 800-171. Until the formal process of establishing such a FAR clause takes place, the requirements in NIST Special Publication 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements. If necessary, Special Publication 800-171 will be updated to remain consistent with the federal CUI regulation and the FAR clause.

NIST SP 800-171 COMPLIANCE SERVICE

You've completed your DFARS 252.204-7012 compliance, but now have a list of cybersecurity compliance issues documented in your Plan of Action & Milestones (POA&M). The vast majority of these POAM gaps are failures in NIST SP 800-171 standards compliance.

So, what's the right approach to fixing these gaps? What's the least impact to your company, while still meeting the requirements and intent of the NIST SP 800-171 standard? VLC can help you meet your NIST compliance requirements efficiently and cost-effectively. Matter of fact, you will likely be able to mitigate many of your gaps without purchasing additional new hardware and software. When you do need to make a purchase, our experience will show you the best choice for your organization.

Our NIST SP 800-171 Compliance Service includes:

  • VLC will assign at least one Cybersecurity Engineer to perform tasks to bring you into, and maintain, compliance with NIST SP 800-171
  • Working with your chosen IT Services Provider, and other personnel as needed, we will help you finalize the approach, costs, milestones, and completion dates for all items included on the POA&M
  • Our team member(s) will serve as the cybersecurity lead for all POA&M items, ensuring that all POA&M milestones and completion dates are met on schedule and within budget
  • We will create and help implement a strategy for your organization to maintain compliance for DFARS 252.204-7012, NIST SP 800-171, and any future related requirements or changes to those standards, including the following:
    • Continuous Monitoring Service
    • Periodic Security, Vulnerability, and Risk Assessments as deemed needed
  • Maintaining and ensuring these processes are performed correctly and in a timely fashion
  • Leading the effort to draft and implement your cybersecurity policies
  • Maintaining and updating your System Security Plan

NIST SP 800-53 CONTROLS

WHAT IS NIST SP 800-53?

NIST Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations," provides a catalog of security controls for all U.S. federal information systems except those related to national security.

More information on SP 800-53 is located on Wikipedia here.

The National Vulnerability Database also provides an excellent way to review the NIST SP 800-53 controls.

I'M CONFUSED, I'M A DOD CONTRACTOR. DO I NEED TO BE COMPLIANT WITH NIST SP 800-53 BECAUSE OF DFARS 252.204-7012?

Not really. This is a common misunderstanding due to the history of that DFARS regulation. INITIALLY, the DFARS 252.204-7012 regulation related to these two Special Publications specified a subset of various SP 800-53 controls that DoD Government Contractors were required to comply against. Contractors were never required to meet all of the 800-53 controls. However, since 800-53 was intended for federal systems and never designed to be selectively 'cherry picked' between the various controls, NIST created the new Special Publication 800-171 specific to that DFARS requirement for Defense Contractors to follow.

In layman's terms, you can think of SP 800-171 as "800-53 Lite".

FAR 32 CFR 2002 & NIST SP 800-171

WHAT IS FAR 32 CFR 2002 AND HOW DOES IT RELATE TO NIST SP 800-171?

FAR 32 CFR 2002 is a Federal Acquisition Regulation that will require all Federal Contractors to improve their Safeguarding of Controlled Unclassified Information (CUI). It defines that federal contractors must be compliant with the NIST Special Publication 800-171.

NIST Special Publication 800-171 is a set of security requirements that may be added or referenced in federal contracts beginning in November 2016. It defines uniform policies and practices across the federal government and throughout all Prime and Sub Contractor companies conducting business with the US Federal Government. Generally, the NIST SP 800-171 requirements are referenced and added to DoD contracts using the DFARS 252.204-7012 regulation or by adding the FAR 32 CFR 2002 clause to non-DoD Federal Contracts.

The requirements recommended for use in this publication are derived from FIPS Publication 200 and the moderate security control baseline in NIST Special Publication 800-53 and are based on the CUI regulation (32 CFR Part 2002, Controlled Unclassified Information). The requirements and security controls have been determined over time to provide the necessary protection for federal information and systems that are covered under The Federal Information Security Modernization Act (FISMA) of 2014 requires federal agencies to identify and provide information security protections commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of an agency; or information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. This publication focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations, and recommends specific security requirements to achieve that objective. It does not change the information security requirements set forth in FISMA, nor does it alter the responsibility of federal agencies to comply with the full provisions of the statute, the policies established by OMB, and the supporting security standards and guidelines developed by NIST.

The final release of NIST Special Publication 800-171, Revision 1, can be obtained by clicking here.

WE ARE A FEDERAL CONTRACTOR, BUT WE DON'T HAVE ANY DEPARTMENT OF DEFENSE (DOD) CONTRACTS. WHAT DOES FAR 32 CFR 2002 MEAN TO ME?

This means your company will almost certainly have to change procedures and policies, likely incurring capital expenditures to replace or upgrade computers, network equipment, applications, email systems and more. We cannot emphasis strongly enough, YOU NEED TO UNDERSTAND THIS IMPACT SOONER, RATHER THAN LATER.

As VLC has helped DoD Contractors complete their NIST SP800-171 compliance assessments, we have learned that almost every company needed to make capital investments in improving their computer and networking security posture, including email, virus protection, two-factor authentication and more. Companies that learned of these requirements earlier were able to save significant costs by considering these new requirements within their normal asset replacement cycles. Some companies avoided costly mistakes that would have occurred due to uneducated upgrades or equipment replacements with non-compliant solutions. Instead their additional costs were minimized. Firms that must rush to meet compliance under deadline may find themselves replacing expensive, newly purchased ERP, CRM, and other applications due to non-compliance.

WHAT IS THE BEST WAY TO REDUCE THE COST OF BECOMING COMPLIANT ON NIST SP 800-171?

The very best way to reduce the impact to your organization and your costs is to complete your assessment as early as possible. Firms that conduct this assessment in the first half of 2017 will likely have almost two years to plan equipment upgrades and replacements, which is generally 2/3 of most companies' replacement equipment buy cycles.

WHAT OTHER INFORMATION IS AVAILABLE ABOUT NIST SP 800-171?

Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the Controlled Unclassified Information (CUI) Executive Agent designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA is issuing a final federal regulation in 2016 to establish the required controls and markings for CUI government wide. This federal regulation, once enacted, will bind agencies throughout the executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program.

With regard to federal information systems, requirements in the federal regulation for protecting CUI at the moderate confidentiality impact level will be based on applicable policies established by OMB and applicable government wide standards and guidelines issued by NIST. The regulation will not create these policies, standards, and guidelines which are already established by OMB and NIST. The regulation will, however, require adherence to the policies and use of the standards and guidelines in a consistent manner throughout the executive branch, thereby reducing current complexity for federal agencies and their non-federal partners, including contractors.

In addition to defining safeguarding requirements for CUI within the federal government, NARA has taken steps to alleviate the potential impact of such requirements on non-federal organizations by jointly developing with NIST, Special Publication 800-171 — and defining security requirements for protecting CUI in non-federal systems and organizations. This approach will help non-federal entities, including contractors, to comply with the security requirements using the systems and practices they already have in place, rather than trying to use government-specific approaches. It will also provide a standardized and uniform set of requirements for all CUI security needs, tailored to non-federal systems, allowing non-federal organizations to be in compliance with statutory and regulatory requirements, and to consistently implement safeguards for the protection of CUI.

Finally, NARA, in its capacity as the CUI Executive Agent, also plans to sponsor in 2017, a single Federal Acquisition Regulation (FAR) clause that will apply the requirements contained in the federal CUI regulation and Special Publication 800-171 to contractors. This will further promote standardization to benefit a substantial number of nonfederal organizations that are attempting to meet the current range and type of contract clauses, where differing requirements and conflicting guidance from federal agencies for the same information gives rise to confusion and inefficiencies.

The CUI FAR clause will also address verification and compliance requirements for the security requirements in NIST Special Publication 800-171. Until the formal process of establishing such a FAR clause takes place, the requirements in NIST Special Publication 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements. If necessary, Special Publication 800-171 will be updated to remain consistent with the federal CUI regulation and the FAR clause.

48 FAR 52.204-21

WHAT IS 48 FAR 52.204-21?

Finalized and approved in June 2016, the 48 FAR 52.204-21 Federal Acquisition Regulation (FAR) requires all Federal Contractors to improve their Basic Safeguarding of Covered Contractor Information Systems. It defines that federal contractors must be compliant with the below fifteen cybersecurity and physical security controls. These are a very basic subset of the NIST Special Publication 800-171 controls for safeguarding Controlled Unclassified Information (CUI) and/or Covered Defense Information (CDI) that defense contractors must follow.

48 FAR 52.204-21 is a set of security requirements that have been added to federal contracts beginning in June 2016. It defines uniform policies and practices across the federal government and throughout all Prime and Sub Contractor companies conducting business with the US Federal Government. The fifteen safeguarding requirements and procedures are as shown below:

The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:

  • Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  • Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  • Verify and control/limit connections to and use of external information systems.
  • Control information posted or processed on publicly accessible information systems.
  • Identify information system users, processes acting on behalf of users, or devices.
  • Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  • Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
  • Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  • Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
  • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
  • Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  • Identify, report, and correct information and information system flaws in a timely manner.
  • Provide protection from malicious code at appropriate locations within organizational information systems.
  • Update malicious code protection mechanisms when new releases are available.
  • Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.



If you or your company are seeking help on understanding the requirements, assessing your compliance and/or meeting compliance, VLC can help! Please contact us