Skip to Content
Home FAR 52.204-21: Basic Safeguarding of Contractor Information Systems Basic Understanding (1 of 5 courses, first course is free)

FAR 52.204-21: Basic Safeguarding of Contractor Information Systems

0 %

Completed

Course content

Basic Understanding (1 of 5 courses, first course is free)

10 XP
Prev Next
Fullscreen Share
Source Web Page

Minimum Security Protocol Introduction

The referenced document, publicly available, outlines Federal Acquisition Regulation (FAR) clause 52.204-21, which establishes the mandatory minimum security protocols for private contractors handling non-public government data. It defines covered contractor information systems and identifies the specific types of federal contract information that require protection. The regulation mandates fifteen basic safeguarding requirements, ranging from access control and identity authentication to malicious code protection and physical equipment security. Furthermore, it stipulates that these cybersecurity obligations must be extended to subcontractors who interact with the same sensitive data. Ultimately, this document serves as a legal framework to ensure that contractual information remains secure while residing on or moving through external private networks.
Rating
0 0

There are no comments for now.

Join this Course
to be the first to leave a comment.

1. According to FAR 52.204-21, what is a 'covered contractor information system'?
"An information system owned or operated by a contractor that processes, stores, or transmits Federal contract information." "An information system owned or operated by a contractor that processes Federal contract information."
2. What is the definition of 'Federal contract information' (FCI)?
Information not intended for public release that is provided by or generated for the Government under a contract to deliver a product or service. Information intended for public release that is provided by or generated for the Government under a contract to deliver a product or service.
3. Does 'Federal contract information' include information provided by the Government to the public on websites?,
"No, it specifically excludes information provided to the public." Yes
4. What type of 'simple transactional information' is excluded from the definition of Federal contract information?
Information necessary to process payments. Information necessary to setup a Prime Contract
5. According to CNSSI 4009, how is 'information' defined in the context of FAR 52.204-21?
Any communication or representation of knowledge such as facts, data, or opinions, in any medium or form. Any communication or representation of knowledge such as facts, data, or opinions, in writing.
6. What constitutes an 'information system' under 44 U.S.C. 3502?
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Cloud information systems organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
7. In the context of contractor information systems, what does 'safeguarding' mean?
Measures or controls prescribed to protect information systems Measures or controls prescribed to employees who work for the contractor
8. To what three entities must information system access be limited?
Authorized users, processes acting on behalf of authorized users, or devices. Authorized users, Application Programming Interfaces (API), or devices.
9. Information system access must be limited to specific types of _____ and _____ that authorized users are permitted to execute.
Transactions and functions People and processes
10. What must a contractor do regarding connections to external information systems?
Verify and control or limit those connections. Monitor incoming and outgoing traffic.
11. Where must a contractor control information being posted or processed?
On publicly accessible information systems. On internal email.
12. As a prerequisite to allowing access to organizational systems, a contractor must _____ the identities of users, processes, or devices.
Authenticate (or verify) use biometrical means to verify
13. What action must be taken on information system media containing FCI before disposal?
Sanitize or destroy the media. Backup the data for archival purposes.
14. Physical access to information systems and equipment must be limited to _____.
Authorized individuals those who have signed a disclosure
15. Besides limiting access, what three physical safeguarding actions are required for visitors
Escort visitors, monitor visitor activity, and maintain audit logs of physical access. Two factor authentication, photo and visitor logs.
16. What physical hardware must be controlled and managed to protect information systems?
Physical access devices. Laptops, tablets but not cell phones.
Additional Resources
Join this Course to access resources