Federal
Federal Contract Information (FCI) is defined as – federal information that isn’t meant for public release but is provided by or created for the government as part of a contract to deliver a product or service. This doesn’t include publicly accessible information, like that found on government websites, or straightforward data for processing payments. Any company handling FCI must implement requirements identified in FAR 52.204-21. There are 15 required safeguards for contractor systems. These requirements apply to any federal award that includes clause 52.204-21.
If your federal contract or purchase order contains this FAR clause, even just as a reference, your company is expected to put these safeguards in place. Additionally, prime contractors are responsible for ensuring that any subcontractors and suppliers who handle FCI also follow these security practices, even if the work involves commercial products or services. This flow-down responsibility means reviewing the terms and conditions of contracts from your prime and considering the same safeguards when setting up contracts with your own subcontractors and suppliers.
FAR 52.204-21 compliance is required but implementing these 15 measures will not satisfy security requirements for other types of information. These safeguards specifically address FCI. Other contracts may involve other categories of data, such as Controlled Unclassified Information (CUI), JCP, ITAR, and NOFORN as examples. Of course, there are basis principles which apply, however, each type is likely to have specific requirements identified in separate federal guidelines. To highlight this fact, the clause also specifies, “This clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556.”
Meeting FAR 52.204-21 requirements establish the least common denominator of actions needed for safeguarding your information system and keeping both your data and FCI data secure. Additionally, implementing these 15 requirements are requirements for contract compliance and reducing risk to your business.