New FAR Requirement and ITAR
Started by j1of1 · Jun 3, 2016 · 2 replies
- jOriginal post
j1of1
Jun 3, 2016 · 10y ago
In another step in a series to strengthen protection of information systems DoD on 16 May 2016 added a new FAR subpart 4.19 and contract clause 52.204-21 for the "Basic Safeguarding of Covered Contractor Information Systems." The focus of this new rule is on the safeguarding of contractor information SYSTEMS that are owned or operated by a contractor that processes, stores or transmits Federal contract information. Previous cybersecurity guidance (DFARS) was released - and is still in effect - regarding protecting information. This new rule pertaining to information SYSTEMS becomes effective this month (June, 2016) for new contracts or when the contractor accepts the clause.
There is a FLOWDOWN requirement. Contractors must flow down the requirement to safeguard information systems to subcontracts at all tiers under the effected contract in which "the subcontractor may have Federal information residing in or transiting through its information system."
My question: Is the flow-down requirement applicable to foreign contractors and ITAR data that has been shared through State?
- D
Don Mansfield
Jun 3, 2016 · 10y ago
Why wouldn't it be?
- N
Navy_Contracting_4
Jun 22, 2016 · 9y ago
The clause seems unambiguous -
Quote
(c) Subcontracts. The Contractor shall include the substance of this clause, . . . in subcontracts . . . in which the subcontractor may have Federal contract information residing in or transiting through its information system.
There is no exception for foreign subcontractors. If you want to exclude one or more foreign contractors from the application of this clause, approval of a deviation from the FAR would seem to be needed. In today's environment, I think it unlikely that such an approval would be easy to obtain.
If you're unsure whether the "ITAR data that has been shared through State" meets the definition of "Federal contract information," ask your contracting officer.