Jump to content
The Wifcon Forums and Blogs

AaronPied

Will FAR 52.204-21 end cloud-based communications?

Recommended Posts

As someone new to USAID contracting and running a small business, I am curious to ask anyone their thoughts on this new FAR clause (Basic Safeguarding of Covered Contractor Information Systems (Jun 2016))

Based on the blogs I have read, this clause will likely be included in most future contracts. As a small business, we use google apps, dropbox, sales applications, and other 3rd party applications that are cloud based because of their affordability and practicality (we don't need an IT team). Provided we win future contracts with this clause, we will surely have "Federal Contract information" as defined in this clause on all of these cloud-based systems and applications.

The clause does not specifically mention cloud computing or prescribe any controls or requirements that directly address the use of cloud solutions. But the way I read the clause, my company does not have control over the employees at Amazon, for example (where many of 3rd party apps store their data), so we can not really know who has access to the data. It is unclear to me whether this clause will eventually make cloud computing and communication unallowable for contractors unless all servers are in-house.

Furthermore, I am concerned that this has the potential of placing a large financial burden on small businesses to finance and restructure how information is stored and communicated. Does anyone have any thoughts, or am I worrying about this too much?

Share this post


Link to post
Share on other sites
4 hours ago, AaronPied said:

Based on the blogs I have read,

Did you read the Federal Register Notice for the final rule for this clause?  If not it might be worth your time to review.  Here is a link to the Federal Register Notice:

https://www.federalregister.gov/articles/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems

Share this post


Link to post
Share on other sites

Hello AaronPied,

The clause is for having cyber security in place.  Networks are under constant attack from hackers, so we need to establish protocols to defend ourselves from attacks.  Having a cyber security trained workforce is the main tool to do this once you have the basic network security in place.  If you are in business it might be worth the investment in preventing a leak than responding to an incident.  There are companies that provide the service of probing your network and then giving you a report on the weaknesses discovered and how to fix them:  the major network security weakness always lies somewhere between the keyboard and the chair...

If there is an incident involving Federal data, your company will be called to prove that it took the basic security measures to prevent it or there may be a liability (the higher the classification the higher those basic measures and liabilities become).  Other than that, it is never a good thing when your company appears on the news as being hacked...

Selling widgets carries a fairly lower risk of being hacked for information than selling personnel financial services; your company should (must) asses the risk and respond accordingly.

Good luck in your business endeavors!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×